package mysql

import (
	"context"
	"database/sql"
	"encoding/hex"
	"errors"
	"fmt"
	"regexp"
	"sort"
	"strconv"
	"strings"
	"time"

	"github.com/doug-martin/goqu/v9"
	_ "github.com/doug-martin/goqu/v9/dialect/mysql"
	"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
	"github.com/fleetdm/fleet/v4/server/datastore/mysql/common_mysql"
	"github.com/fleetdm/fleet/v4/server/fleet"
	"github.com/fleetdm/fleet/v4/server/ptr"
	"github.com/go-kit/log"
	"github.com/go-kit/log/level"
	"github.com/google/uuid"
	"github.com/jmoiron/sqlx"
	"go.opentelemetry.io/otel"
	"go.opentelemetry.io/otel/attribute"
	"go.opentelemetry.io/otel/trace"
)

type softwareSummary struct {
	ID               uint    `db:"id"`
	Checksum         string  `db:"checksum"`
	Name             string  `db:"name"`
	TitleID          *uint   `db:"title_id"`
	BundleIdentifier *string `db:"bundle_identifier"`
	UpgradeCode      *string `db:"upgrade_code"`
	Source           string  `db:"source"`
}

type oldAndNewUpgradeCodePtrs struct {
	old *string
	new *string
}

// tracer is an OTEL tracer. It has no-op behavior when OTEL is not enabled.
// If provider is set later (with otel.SetTracerProvider), the tracer will start using the new provider.
var tracer = otel.Tracer("github.com/fleetdm/fleet/v4/server/datastore/mysql")

// Since DB may have millions of software items, we need to batch the aggregation counts to avoid long SQL query times.
// This is a variable so it can be adjusted during unit testing.
var countHostSoftwareBatchSize = uint64(100000)

// trailingNonWordChars matches trailing anything not a letter, digit, or underscore
var trailingNonWordChars = regexp.MustCompile(`\W+$`)

// Since a host may have a lot of software items, we need to batch the inserts.
// The maximum number of software items we can insert at one time is governed by max_allowed_packet, which already be set to a high value for MDM bootstrap packages,
// and by the maximum number of placeholders in a prepared statement, which is 65,536. These are already fairly large limits.
// This is a variable, so it can be adjusted during unit testing.
var softwareInsertBatchSize = 1000

// softwareInventoryInsertBatchSize is used for pre-inserting software inventory entries
// outside the main software ingestion transaction. Smaller batches reduce lock contention.
var softwareInventoryInsertBatchSize = 100

func softwareSliceToMap(softwareItems []fleet.Software) map[string]fleet.Software {
	result := make(map[string]fleet.Software, len(softwareItems))
	for _, s := range softwareItems {
		result[s.ToUniqueStr()] = s
	}
	return result
}

func (ds *Datastore) UpdateHostSoftware(ctx context.Context, hostID uint, software []fleet.Software) (*fleet.UpdateHostSoftwareDBResult, error) {
	// OTEL instrumentation. It has no-op behavior when OTEL is not enabled.
	ctx, span := tracer.Start(ctx, "mysql.UpdateHostSoftware",
		trace.WithSpanKind(trace.SpanKindInternal),
		trace.WithAttributes(
			attribute.Int("host_id", int(hostID)), //nolint:gosec
			attribute.Int("software_count", len(software)),
		))
	defer span.End()

	return ds.applyChangesForNewSoftwareDB(ctx, hostID, software)
}

func (ds *Datastore) UpdateHostSoftwareInstalledPaths(
	ctx context.Context,
	hostID uint,
	reported map[string]struct{},
	mutationResults *fleet.UpdateHostSoftwareDBResult,
) error {
	currS := mutationResults.CurrInstalled()

	hsip, err := ds.getHostSoftwareInstalledPaths(ctx, hostID)
	if err != nil {
		return err
	}

	toI, toD, err := hostSoftwareInstalledPathsDelta(hostID, reported, hsip, currS, ds.logger)
	if err != nil {
		return err
	}

	if len(toI) == 0 && len(toD) == 0 {
		// Nothing to do ...
		return nil
	}

	return ds.withRetryTxx(ctx, func(tx sqlx.ExtContext) error {
		if err := deleteHostSoftwareInstalledPaths(ctx, tx, toD); err != nil {
			return err
		}

		if err := insertHostSoftwareInstalledPaths(ctx, tx, toI); err != nil {
			return err
		}

		return nil
	})
}

// getHostSoftwareInstalledPaths returns all HostSoftwareInstalledPath for the given hostID.
func (ds *Datastore) getHostSoftwareInstalledPaths(
	ctx context.Context,
	hostID uint,
) (
	[]fleet.HostSoftwareInstalledPath,
	error,
) {
	stmt := `
		SELECT t.id, t.host_id, t.software_id, t.installed_path, t.team_identifier, t.executable_sha256
		FROM host_software_installed_paths t
		WHERE t.host_id = ?
	`

	var result []fleet.HostSoftwareInstalledPath
	if err := sqlx.SelectContext(ctx, ds.reader(ctx), &result, stmt, hostID); err != nil {
		return nil, err
	}

	return result, nil
}

// hostSoftwareInstalledPathsDelta returns what should be inserted and deleted to keep the
// 'host_software_installed_paths' table in-sync with the osquery reported query results.
// 'reported' is a set of 'installed_path-software.UniqueStr' strings, built from the osquery
// results.
// 'stored' contains all 'host_software_installed_paths' rows for the given host.
// 'hostSoftware' contains the current software installed on the host.
func hostSoftwareInstalledPathsDelta(
	hostID uint,
	reported map[string]struct{},
	stored []fleet.HostSoftwareInstalledPath,
	hostSoftware []fleet.Software,
	logger log.Logger,
) (
	toInsert []fleet.HostSoftwareInstalledPath,
	toDelete []uint,
	err error,
) {
	if len(reported) != 0 && len(hostSoftware) == 0 {
		// Error condition, something reported implies that the host has some software
		err = fmt.Errorf("software installed paths for host %d were reported but host contains no software", hostID)
		return
	}

	sIDLookup := map[uint]fleet.Software{}
	for _, s := range hostSoftware {
		sIDLookup[s.ID] = s
	}

	sUnqStrLook := map[string]fleet.Software{}
	for _, s := range hostSoftware {
		sUnqStrLook[s.ToUniqueStr()] = s
	}

	iSPathLookup := make(map[string]fleet.HostSoftwareInstalledPath)
	for _, r := range stored {
		s, ok := sIDLookup[r.SoftwareID]
		// Software currently not found on the host, should be deleted ...
		if !ok {
			toDelete = append(toDelete, r.ID)
			continue
		}
		var sha256 string
		if r.ExecutableSHA256 != nil {
			sha256 = *r.ExecutableSHA256
		}
		key := fmt.Sprintf(
			"%s%s%s%s%s%s%s",
			r.InstalledPath, fleet.SoftwareFieldSeparator, r.TeamIdentifier, fleet.SoftwareFieldSeparator, sha256, fleet.SoftwareFieldSeparator, s.ToUniqueStr(),
		)
		iSPathLookup[key] = r

		// Anything stored but not reported should be deleted
		if _, ok := reported[key]; !ok {
			toDelete = append(toDelete, r.ID)
		}
	}

	for key := range reported {
		parts := strings.SplitN(key, fleet.SoftwareFieldSeparator, 4)
		installedPath, teamIdentifier, cdHash, unqStr := parts[0], parts[1], parts[2], parts[3]

		// Shouldn't be a common occurence ... everything 'reported' should be in the the software table
		// because this executes after 'ds.UpdateHostSoftware'
		s, ok := sUnqStrLook[unqStr]
		if !ok {
			level.Debug(logger).Log("msg", "skipping installed path for software not found", "host_id", hostID, "unq_str", unqStr)
			continue
		}

		if _, ok := iSPathLookup[key]; ok {
			// Nothing to do
			continue
		}

		var executableSHA256 *string
		if cdHash != "" {
			executableSHA256 = ptr.String(cdHash)
		}

		toInsert = append(toInsert, fleet.HostSoftwareInstalledPath{
			HostID:           hostID,
			SoftwareID:       s.ID,
			InstalledPath:    installedPath,
			TeamIdentifier:   teamIdentifier,
			ExecutableSHA256: executableSHA256,
		})
	}

	return
}

func deleteHostSoftwareInstalledPaths(
	ctx context.Context,
	tx sqlx.ExtContext,
	toDelete []uint,
) error {
	if len(toDelete) == 0 {
		return nil
	}

	stmt := `DELETE FROM host_software_installed_paths WHERE id IN (?)`
	stmt, args, err := sqlx.In(stmt, toDelete)
	if err != nil {
		return ctxerr.Wrap(ctx, err, "building delete statement for delete host_software_installed_paths")
	}
	if _, err := tx.ExecContext(ctx, stmt, args...); err != nil {
		return ctxerr.Wrap(ctx, err, "executing delete statement for delete host_software_installed_paths")
	}

	return nil
}

func insertHostSoftwareInstalledPaths(
	ctx context.Context,
	tx sqlx.ExtContext,
	toInsert []fleet.HostSoftwareInstalledPath,
) error {
	if len(toInsert) == 0 {
		return nil
	}

	stmt := "INSERT INTO host_software_installed_paths (host_id, software_id, installed_path, team_identifier, executable_sha256) VALUES %s"
	batchSize := 500

	for i := 0; i < len(toInsert); i += batchSize {
		end := i + batchSize
		if end > len(toInsert) {
			end = len(toInsert)
		}
		batch := toInsert[i:end]

		var args []interface{}
		for _, v := range batch {
			args = append(args, v.HostID, v.SoftwareID, v.InstalledPath, v.TeamIdentifier, v.ExecutableSHA256)
		}

		placeHolders := strings.TrimSuffix(strings.Repeat("(?, ?, ?, ?, ?), ", len(batch)), ", ")
		stmt := fmt.Sprintf(stmt, placeHolders)

		_, err := tx.ExecContext(ctx, stmt, args...)
		if err != nil {
			return ctxerr.Wrap(ctx, err, "inserting rows into host_software_installed_paths")
		}
	}

	return nil
}

func nothingChanged(current, incoming []fleet.Software, minLastOpenedAtDiff time.Duration) (
	map[string]fleet.Software, map[string]fleet.Software, bool,
) {
	// Process incoming software to ensure there are no duplicates, since the same software can be installed at multiple paths.
	incomingMap := make(map[string]fleet.Software, len(current)) // setting len(current) as the length since that should be the common case
	for _, s := range incoming {
		uniqueStr := s.ToUniqueStr()
		if duplicate, ok := incomingMap[uniqueStr]; ok {
			// Check the last opened at timestamp and keep the latest.
			if s.LastOpenedAt == nil ||
				(duplicate.LastOpenedAt != nil && !s.LastOpenedAt.After(*duplicate.LastOpenedAt)) {
				continue // keep the duplicate
			}
		}
		incomingMap[uniqueStr] = s
	}
	currentMap := softwareSliceToMap(current)
	if len(currentMap) != len(incomingMap) {
		return currentMap, incomingMap, false
	}

	for _, s := range incomingMap {
		cur, ok := currentMap[s.ToUniqueStr()]
		if !ok {
			return currentMap, incomingMap, false
		}

		// if the incoming software has a last opened at timestamp and it differs
		// significantly from the current timestamp (or there is no current
		// timestamp), then consider that something changed.
		if s.LastOpenedAt != nil {
			if cur.LastOpenedAt == nil {
				return currentMap, incomingMap, false
			}

			oldLast := *cur.LastOpenedAt
			newLast := *s.LastOpenedAt
			if newLast.Sub(oldLast) >= minLastOpenedAtDiff {
				return currentMap, incomingMap, false
			}
		}
	}

	return currentMap, incomingMap, true
}

func (ds *Datastore) ListSoftwareByHostIDShort(ctx context.Context, hostID uint) ([]fleet.Software, error) {
	return listSoftwareByHostIDShort(ctx, ds.reader(ctx), hostID)
}

func listSoftwareByHostIDShort(
	ctx context.Context,
	db sqlx.QueryerContext,
	hostID uint,
) ([]fleet.Software, error) {
	q := `
SELECT
    s.id,
    s.name,
    s.version,
    s.source,
    s.extension_for,
    s.bundle_identifier,
    s.release,
    s.vendor,
    s.arch,
    s.extension_id,
    s.upgrade_code,
    hs.last_opened_at
FROM
    software s
    JOIN host_software hs ON hs.software_id = s.id
WHERE
    hs.host_id = ?
`
	var softwares []fleet.Software
	err := sqlx.SelectContext(ctx, db, &softwares, q, hostID)
	if err != nil {
		return nil, err
	}

	return softwares, nil
}

// filterSoftwareWithEmptyNames removes software entries with empty names in-place.
// This is a well-known Go idiom: https://go.dev/wiki/SliceTricks#filter-in-place
func filterSoftwareWithEmptyNames(software []fleet.Software) []fleet.Software {
	n := 0
	for _, sw := range software {
		if sw.Name != "" {
			software[n] = sw
			n++
		}
	}
	return software[:n]
}

// applyChangesForNewSoftwareDB returns the current host software and the applied mutations: what
// was inserted and what was deleted
func (ds *Datastore) applyChangesForNewSoftwareDB(
	ctx context.Context,
	hostID uint,
	incomingSoftware []fleet.Software,
) (*fleet.UpdateHostSoftwareDBResult, error) {
	r := &fleet.UpdateHostSoftwareDBResult{}

	// We want to make sure we have valid data before proceeding. We've seen Windows programs with empty names.
	incomingSoftware = filterSoftwareWithEmptyNames(incomingSoftware)

	// This code executes once an hour for each host, so we should optimize for MySQL writer DB performance.
	// We use a reader DB to avoid accessing the writer. If nothing has changed, we avoid all access to the writer.
	// It is possible that the software list is out of sync between the reader and the writer. This is unlikely because
	// it is updated once an hour under normal circumstances. If this does occur, the software list will be updated
	// once again in an hour.
	currentSoftware, err := listSoftwareByHostIDShort(ctx, ds.reader(ctx), hostID)
	if err != nil {
		return nil, ctxerr.Wrap(ctx, err, "loading current software for host")
	}
	r.WasCurrInstalled = currentSoftware

	current, incoming, noChanges := nothingChanged(currentSoftware, incomingSoftware, ds.minLastOpenedAtDiff)
	if noChanges {
		return r, nil
	}

	existingSoftwareSummaries, incomingSoftwareByChecksum, incomingChecksumsToExistingTitles, err := ds.getExistingSoftware(ctx, current, incoming)
	if err != nil {
		return r, err
	}

	// PHASE 1: Pre-insert software inventory data outside the main transaction
	// This reduces lock contention by breaking up large INSERT IGNORE operations
	// into smaller, faster transactions that release locks quickly.
	// These operations are idempotent due to INSERT IGNORE.
	if len(incomingSoftwareByChecksum) > 0 {

		err = ds.reconcileExistingTitleEmptyUpgradeCodes(ctx, incomingSoftwareByChecksum, incomingChecksumsToExistingTitles)
		if err != nil {
			return nil, ctxerr.Wrap(ctx, err, "update software titles upgrade code")
		}
		// Pre-insert software and titles in small batches
		err = ds.preInsertSoftwareInventory(ctx, existingSoftwareSummaries, incomingSoftwareByChecksum, incomingChecksumsToExistingTitles)
		if err != nil {
			return nil, ctxerr.Wrap(ctx, err, "pre-insert software inventory")
		}

	}

	// PHASE 2: Main transaction for host-specific operations
	// We do not retry the transaction here because we do not want to overwhelm the DB.
	// The transaction will be retried naturally when the agent refreshes (or IT admin requests a refresh).
	err = ds.withTx(
		ctx, func(tx sqlx.ExtContext) error {
			deleted, err := deleteUninstalledHostSoftwareDB(ctx, tx, hostID, current, incoming)
			if err != nil {
				return err
			}
			r.Deleted = deleted

			// Link the pre-inserted software to this host
			// Software inventory entries were already created in Phase 1
			inserted, err := ds.linkSoftwareToHost(ctx, tx, hostID, incomingSoftwareByChecksum)
			if err != nil {
				return err
			}
			r.Inserted = inserted

			if err = checkForDeletedInstalledSoftware(ctx, tx, deleted, r.Inserted, hostID); err != nil {
				return err
			}

			if err = updateModifiedHostSoftwareDB(ctx, tx, hostID, current, incoming, ds.minLastOpenedAtDiff, ds.logger); err != nil {
				return err
			}

			if err = updateSoftwareUpdatedAt(ctx, tx, hostID); err != nil {
				return err
			}
			return nil
		},
	)
	if err != nil {
		// Check if this is a retryable error (e.g., deadlock, lock timeout)
		if common_mysql.RetryableError(err) {
			// Log the retryable error and return the current state without changes.
			// The transaction rolled back, so Deleted and Inserted will be empty.
			level.Info(ds.logger).Log("msg", "retryable error during software update, will retry on next agent refresh", "err", err, "host_id", hostID)
			return r, nil
		}
		return nil, err
	}
	return r, nil
}

func checkForDeletedInstalledSoftware(ctx context.Context, tx sqlx.ExtContext, deleted []fleet.Software, inserted []fleet.Software,
	hostID uint,
) error {
	// Between deleted and inserted software, check which software titles were deleted.
	// If software titles were deleted, get the software titles of the installed software.
	// See if deleted titles match installed software titles.
	// If so, mark the installed software as removed.
	var deletedTitles map[string]struct{}
	if len(deleted) > 0 {
		deletedTitles = make(map[string]struct{}, len(deleted))
		for _, d := range deleted {
			// We don't support installing browser plugins as of 2024/08/22
			if d.ExtensionFor == "" {
				deletedTitles[UniqueSoftwareTitleStr(BundleIdentifierOrName(d.BundleIdentifier, d.Name), d.Source)] = struct{}{}
			}
		}
		for _, i := range inserted {
			// We don't support installing browser plugins as of 2024/08/22
			if i.ExtensionFor == "" {
				key := UniqueSoftwareTitleStr(BundleIdentifierOrName(i.BundleIdentifier, i.Name), i.Source)
				delete(deletedTitles, key)
			}
		}
	}
	if len(deletedTitles) > 0 {
		installedTitles, err := getInstalledByFleetSoftwareTitles(ctx, tx, hostID)
		if err != nil {
			return err
		}
		type deletedValue struct {
			vpp bool
		}
		deletedTitleIDs := make(map[uint]deletedValue, 0)
		for _, title := range installedTitles {
			bundleIdentifier := ""
			if title.BundleIdentifier != nil {
				bundleIdentifier = *title.BundleIdentifier
			}
			key := UniqueSoftwareTitleStr(BundleIdentifierOrName(bundleIdentifier, title.Name), title.Source)
			if _, ok := deletedTitles[key]; ok {
				deletedTitleIDs[title.ID] = deletedValue{vpp: title.VPPAppsCount > 0}
			}
		}
		if len(deletedTitleIDs) > 0 {
			IDs := make([]uint, 0, len(deletedTitleIDs))
			vppIDs := make([]uint, 0, len(deletedTitleIDs))
			for id, value := range deletedTitleIDs {
				if value.vpp {
					vppIDs = append(vppIDs, id)
				} else {
					IDs = append(IDs, id)
				}
			}
			if len(IDs) > 0 {
				if err = markHostSoftwareInstallsRemoved(ctx, tx, hostID, IDs); err != nil {
					return err
				}
			}
			if len(vppIDs) > 0 {
				if err = markHostVPPSoftwareInstallsRemoved(ctx, tx, hostID, vppIDs); err != nil {
					return err
				}
			}
		}
	}
	return nil
}

func (ds *Datastore) getExistingSoftware(
	ctx context.Context, current map[string]fleet.Software, incoming map[string]fleet.Software,
) (
	currentSoftwareSummaries []softwareSummary,
	newChecksumsToSoftware map[string]fleet.Software,
	incomingChecksumsToTitleSummaries map[string]fleet.SoftwareTitleSummary,
	err error,
) {
	// TODO(jacob) - the `incoming` argument here should already contain a map of checksum:Software, put
	// together by the `nothingChanged` function upstream. Is this redundant?
	// Compute checksums for all incoming software, which we will use for faster retrieval, since checksum is a unique index
	newChecksumsToSoftware = make(map[string]fleet.Software, len(current))
	// TODO(jacob) - below set seems to be the same as above map but without Software values for each key.
	// Are both necessary, or can we just use the map everywhere?
	setOfNewSWChecksums := make(map[string]struct{})
	for uniqueName, s := range incoming {
		_, ok := current[uniqueName]
		if !ok {
			// -> incoming SW is new
			checksum, err := s.ComputeRawChecksum()
			if err != nil {
				return nil, nil, nil, err
			}
			newChecksumsToSoftware[string(checksum)] = s
			setOfNewSWChecksums[string(checksum)] = struct{}{}
		}
	}

	if len(newChecksumsToSoftware) > 0 {
		sliceOfNewSWChecksums := make([]string, 0, len(newChecksumsToSoftware))
		for checksum := range newChecksumsToSoftware {
			sliceOfNewSWChecksums = append(sliceOfNewSWChecksums, checksum)
		}
		// We use the replica DB for retrieval to minimize the traffic to the writer DB.
		// It is OK if the software is not found in the replica DB, because we will then attempt to insert it in the writer DB.
		currentSoftwareSummaries, err = getExistingSoftwareSummariesByChecksums(ctx, ds.reader(ctx), sliceOfNewSWChecksums)
		if err != nil {
			return nil, nil, nil, err
		}

		for _, currentSoftwareSummary := range currentSoftwareSummaries {
			_, ok := newChecksumsToSoftware[currentSoftwareSummary.Checksum]
			if !ok {
				// This should never happen. If it does, we have a bug.
				return nil, nil, nil, ctxerr.New(
					ctx, fmt.Sprintf("current software: software not found for checksum %s", hex.EncodeToString([]byte(currentSoftwareSummary.Checksum))),
				)
			}
			delete(setOfNewSWChecksums, currentSoftwareSummary.Checksum)
		}
	}

	if len(setOfNewSWChecksums) == 0 {
		return currentSoftwareSummaries, newChecksumsToSoftware, incomingChecksumsToTitleSummaries, nil
	}

	// There's new software, so we try to get the titles already stored in `software_titles` for them.
	incomingChecksumsToTitleSummaries, _, err = ds.getIncomingSoftwareChecksumsToExistingTitles(ctx, setOfNewSWChecksums, newChecksumsToSoftware)
	if err != nil {
		return nil, nil, nil, ctxerr.Wrap(ctx, err, "get incoming software checksums to existing titles")
	}

	return currentSoftwareSummaries, newChecksumsToSoftware, incomingChecksumsToTitleSummaries, nil
}

// getIncomingSoftwareChecksumsToExistingTitles loads the existing titles for the new incoming software.
// It returns a map of software checksums to existing software titles.
//
// To make best use of separate indexes, it runs two queries to get the existing titles from the DB:
//   - One query for software with bundle_identifier.
//   - One query for software without bundle_identifier.
//
// TODO(jacob) - consider index and appropriate query here for Windows software `upgrade_code`s, similar to
// bundle identifier, if needed for optimization
func (ds *Datastore) getIncomingSoftwareChecksumsToExistingTitles(
	ctx context.Context,
	newSoftwareChecksums map[string]struct{},
	incomingChecksumToSoftware map[string]fleet.Software,
) (map[string]fleet.SoftwareTitleSummary, map[string]fleet.Software, error) {
	var (
		incomingChecksumsToTitleSummaries = make(map[string]fleet.SoftwareTitleSummary, len(newSoftwareChecksums))
		argsWithoutBundleIdentifier       []any
		argsWithBundleIdentifier          []any
		uniqueTitleStrToChecksums         = make(map[string][]string)
	)
	bundleIDsToIncomingNames := make(map[string]string)
	for checksum := range newSoftwareChecksums {
		sw := incomingChecksumToSoftware[checksum]
		if sw.BundleIdentifier != "" {
			bundleIDsToIncomingNames[sw.BundleIdentifier] = sw.Name
			argsWithBundleIdentifier = append(argsWithBundleIdentifier, sw.BundleIdentifier)
		} else {
			// TODO(jacob) - consider `upgrade_code` here and below if needed for additional specificity
			argsWithoutBundleIdentifier = append(argsWithoutBundleIdentifier, sw.Name, sw.Source, sw.ExtensionFor)
		}
		// Map software title identifier to software checksums so that we can map checksums to actual titles later.
		// Note: Multiple checksums can map to the same title (e.g., when names are truncated). This should not normally happen.
		titleStr := UniqueSoftwareTitleStr(
			BundleIdentifierOrName(sw.BundleIdentifier, sw.Name), sw.Source, sw.ExtensionFor,
		)
		existingChecksums := uniqueTitleStrToChecksums[titleStr]
		if len(existingChecksums) > 0 {
			// Log when multiple checksums map to the same title.
			existingChecksumsHex := make([]string, len(existingChecksums))
			for i, cs := range existingChecksums {
				existingChecksumsHex[i] = fmt.Sprintf("%x", cs)
			}
			level.Debug(ds.logger).Log(
				"msg", "multiple checksums mapping to same title",
				"title_str", titleStr,
				"new_checksum", fmt.Sprintf("%x", checksum),
				"existing_checksums", fmt.Sprintf("%v", existingChecksumsHex),
				"software_name", sw.Name,
				"software_version", sw.Version,
			)
		}
		uniqueTitleStrToChecksums[titleStr] = append(uniqueTitleStrToChecksums[titleStr], checksum)
	}

	// Get titles for software without bundle_identifier.
	if len(argsWithoutBundleIdentifier) > 0 {
		// Build IN clause with composite values for better performance
		// Each triplet of args represents (name, source, extension_for)
		numItems := len(argsWithoutBundleIdentifier) / 3
		valuePlaceholders := make([]string, 0, numItems)
		for i := 0; i < numItems; i++ {
			valuePlaceholders = append(valuePlaceholders, "(?, ?, ?)")
		}

		stmt := fmt.Sprintf(
			"SELECT id, name, source, extension_for, upgrade_code FROM software_titles WHERE (name, source, extension_for) IN (%s)",
			strings.Join(valuePlaceholders, ", "),
		)
		var existingTitleSummariesForNewSoftwareWithoutBundleIdentifier []fleet.SoftwareTitleSummary
		if err := sqlx.SelectContext(ctx,
			ds.reader(ctx),
			&existingTitleSummariesForNewSoftwareWithoutBundleIdentifier,
			stmt,
			argsWithoutBundleIdentifier...,
		); err != nil {
			return nil, nil, ctxerr.Wrap(ctx, err, "get existing titles without bundle identifier")
		}
		for _, titleSummary := range existingTitleSummariesForNewSoftwareWithoutBundleIdentifier {
			// TODO - need to factor upgrade_code in here?
			checksums, ok := uniqueTitleStrToChecksums[UniqueSoftwareTitleStr(titleSummary.Name, titleSummary.Source, titleSummary.ExtensionFor)]
			if ok {
				// Map all checksums that correspond to this title
				for _, checksum := range checksums {
					incomingChecksumsToTitleSummaries[checksum] = titleSummary
				}
			}
		}
	}

	// Get titles for software with bundle_identifier
	existingBundleIDsToUpdate := make(map[string]fleet.Software)
	if len(argsWithBundleIdentifier) > 0 {
		// no-op code change
		// TODO(jacob) - this var name is shadowing the one in the outer scope. Is this successfully
		// adding titles-by-checksum for software with bundle ids?
		incomingChecksumsToTitleSummaries = make(map[string]fleet.SoftwareTitleSummary, len(newSoftwareChecksums))
		stmtBundleIdentifier := `SELECT id, name, source, extension_for, bundle_identifier FROM software_titles WHERE bundle_identifier IN (?)`
		stmtBundleIdentifier, argsWithBundleIdentifier, err := sqlx.In(stmtBundleIdentifier, argsWithBundleIdentifier)
		if err != nil {
			return nil, nil, ctxerr.Wrap(ctx, err, "build query to get existing titles with bundle_identifier")
		}
		var existingSoftwareTitleSummariesForNewSoftwareWithBundleIdentifier []fleet.SoftwareTitleSummary
		if err := sqlx.SelectContext(ctx, ds.reader(ctx), &existingSoftwareTitleSummariesForNewSoftwareWithBundleIdentifier, stmtBundleIdentifier, argsWithBundleIdentifier...); err != nil {
			return nil, nil, ctxerr.Wrap(ctx, err, "get existing titles with bundle_identifier")
		}
		// Map software titles to software checksums.
		for _, title := range existingSoftwareTitleSummariesForNewSoftwareWithBundleIdentifier {
			uniqueStrWithoutName := UniqueSoftwareTitleStr(*title.BundleIdentifier, title.Source, title.ExtensionFor)
			checksums, withoutName := uniqueTitleStrToChecksums[uniqueStrWithoutName]

			if withoutName {
				// Map all checksums that correspond to this title
				for _, checksum := range checksums {
					incomingChecksumsToTitleSummaries[checksum] = title
				}
			}
		}
	}

	return incomingChecksumsToTitleSummaries, existingBundleIDsToUpdate, nil
}

// BundleIdentifierOrName returns the bundle identifier if it is not empty, otherwise name
func BundleIdentifierOrName(bundleIdentifier, name string) string {
	if bundleIdentifier != "" {
		return bundleIdentifier
	}
	return name
}

// UniqueSoftwareTitleStr creates a unique string representation of the software title
func UniqueSoftwareTitleStr(values ...string) string {
	return strings.Join(values, fleet.SoftwareFieldSeparator)
}

// delete host_software that is in current map, but not in incoming map.
// returns the deleted software on the host
func deleteUninstalledHostSoftwareDB(
	ctx context.Context,
	tx sqlx.ExecerContext,
	hostID uint,
	currentMap map[string]fleet.Software,
	incomingMap map[string]fleet.Software,
) ([]fleet.Software, error) {
	var deletesHostSoftwareIDs []uint
	var deletedSoftware []fleet.Software

	for currentKey, curSw := range currentMap {
		if _, ok := incomingMap[currentKey]; !ok {
			deletedSoftware = append(deletedSoftware, curSw)
			deletesHostSoftwareIDs = append(deletesHostSoftwareIDs, curSw.ID)
		}
	}
	if len(deletesHostSoftwareIDs) == 0 {
		return nil, nil
	}

	stmt := `DELETE FROM host_software WHERE host_id = ? AND software_id IN (?);`
	stmt, args, err := sqlx.In(stmt, hostID, deletesHostSoftwareIDs)
	if err != nil {
		return nil, ctxerr.Wrap(ctx, err, "build delete host software query")
	}
	if _, err := tx.ExecContext(ctx, stmt, args...); err != nil {
		return nil, ctxerr.Wrap(ctx, err, "delete host software")
	}

	return deletedSoftware, nil
}

// longestCommonPrefix finds the longest common prefix among a slice of strings.
// Returns empty string if there's no common prefix.
func longestCommonPrefix(strs []string) string {
	if len(strs) == 0 {
		return ""
	}
	if len(strs) == 1 {
		return strs[0]
	}

	firstLen := len(strs[0])
	i := 0
	for {
		if i >= firstLen {
			return strs[0]
		}

		c := strs[0][i]
		for _, s := range strs[1:] {
			if i >= len(s) || s[i] != c {
				return strs[0][:i]
			}
		}
		i++
	}
}

// preInsertSoftwareInventory pre-inserts software and software_titles outside the main transaction
// to reduce lock contention. These operations are idempotent due to INSERT IGNORE.
func (ds *Datastore) preInsertSoftwareInventory(
	ctx context.Context,
	existingSoftwareSummaries []softwareSummary,
	incomingSoftwareByChecksum map[string]fleet.Software,
	incomingChecksumsToExistingTitleSummaries map[string]fleet.SoftwareTitleSummary,
) error {
	type titleKey struct {
		name         string
		source       string
		extensionFor string
		bundleID     string
		isKernel     bool
	}

	// Collect all software that needs to be inserted
	needsInsert := make(map[string]fleet.Software)
	bundleGroups := make(map[titleKey][]string)
	keys := make([]string, 0, len(incomingSoftwareByChecksum))

	existingSet := make(map[string]struct{}, len(existingSoftwareSummaries))
	for _, es := range existingSoftwareSummaries {
		existingSet[es.Checksum] = struct{}{}
	}

	for checksum, sw := range incomingSoftwareByChecksum {
		if _, ok := existingSet[checksum]; !ok {
			needsInsert[checksum] = sw
			keys = append(keys, checksum)

			if sw.BundleIdentifier != "" {
				key := titleKey{
					bundleID:     sw.BundleIdentifier,
					source:       sw.Source,
					extensionFor: sw.ExtensionFor,
				}
				bundleGroups[key] = append(bundleGroups[key], sw.Name)
			}
		}
	}

	if len(needsInsert) == 0 {
		return nil
	}

	bestTitleNames := make(map[titleKey]string)
	for key, names := range bundleGroups {
		if len(names) > 1 {
			// Pick the best represenative name for the group of names
			commonPrefix := longestCommonPrefix(names)
			commonPrefix = trailingNonWordChars.ReplaceAllString(commonPrefix, "")
			if len(commonPrefix) > 0 {
				bestTitleNames[key] = commonPrefix
			} else {
				// Fall back to shortest name
				shortest := names[0]
				for _, name := range names[1:] {
					if len(name) < len(shortest) {
						shortest = name
					}
				}
				bestTitleNames[key] = shortest
			}
		} else if len(names) == 1 {
			// Single title or no bundle_identifier
			bestTitleNames[key] = names[0]
		}
	}

	// Process in smaller batches to reduce lock time
	err := common_mysql.BatchProcessSimple(keys, softwareInventoryInsertBatchSize, func(batchKeys []string) error {
		batchSoftware := make(map[string]fleet.Software, len(batchKeys))
		for _, key := range batchKeys {
			batchSoftware[key] = needsInsert[key]
		}

		// Each batch in its own transaction
		return ds.withRetryTxx(ctx, func(tx sqlx.ExtContext) error {
			// First insert any needed software titles
			newTitlesNeeded := make(map[string]fleet.SoftwareTitle)
			for checksum, sw := range batchSoftware {
				if _, ok := incomingChecksumsToExistingTitleSummaries[checksum]; !ok {
					// there is not an existing software title corresponding to this incoming software version
					newTitleName := sw.Name
					if sw.BundleIdentifier != "" {
						key := titleKey{
							bundleID:     sw.BundleIdentifier,
							source:       sw.Source,
							extensionFor: sw.ExtensionFor,
						}
						if computedName, exists := bestTitleNames[key]; exists {
							newTitleName = computedName
						}
					}

					newTitle := fleet.SoftwareTitle{
						Name:         newTitleName,
						Source:       sw.Source,
						ExtensionFor: sw.ExtensionFor,
						IsKernel:     sw.IsKernel,
					}
					if sw.BundleIdentifier != "" {
						newTitle.BundleIdentifier = ptr.String(sw.BundleIdentifier)
					}
					if sw.ApplicationID != nil && *sw.ApplicationID != "" {
						newTitle.ApplicationID = sw.ApplicationID
					}
					if sw.UpgradeCode != nil {
						// intentionally write both empty and non-empty strings as upgrade codes
						newTitle.UpgradeCode = sw.UpgradeCode
					}
					newTitlesNeeded[checksum] = newTitle
				}
			}

			// Map to store title IDs for all titles (both existing and new)
			titleIDsByChecksum := make(map[string]uint, len(incomingChecksumsToExistingTitleSummaries))

			// First, add existing titles to the map
			for checksum, titleSummary := range incomingChecksumsToExistingTitleSummaries {
				titleIDsByChecksum[checksum] = titleSummary.ID
			}
			if len(newTitlesNeeded) > 0 {
				uniqueTitlesToInsert := make(map[titleKey]fleet.SoftwareTitle)
				for _, title := range newTitlesNeeded {
					bundleID := ""
					if title.BundleIdentifier != nil {
						bundleID = *title.BundleIdentifier
					}
					key := titleKey{
						name:         title.Name,
						source:       title.Source,
						extensionFor: title.ExtensionFor,
						bundleID:     bundleID,
						isKernel:     title.IsKernel,
					}

					if _, exists := uniqueTitlesToInsert[key]; !exists {
						uniqueTitlesToInsert[key] = title
					}
				}

				// Insert software titles
				const numberOfArgsPerSoftwareTitles = 7
				titlesValues := strings.TrimSuffix(strings.Repeat("(?,?,?,?,?,?,?),", len(uniqueTitlesToInsert)), ",")
				titlesStmt := fmt.Sprintf("INSERT IGNORE INTO software_titles (name, source, extension_for, bundle_identifier, is_kernel, application_id, upgrade_code) VALUES %s", titlesValues)
				titlesArgs := make([]any, 0, len(uniqueTitlesToInsert)*numberOfArgsPerSoftwareTitles)

				for _, title := range uniqueTitlesToInsert {
					titlesArgs = append(titlesArgs, title.Name, title.Source, title.ExtensionFor, title.BundleIdentifier, title.IsKernel, title.ApplicationID, title.UpgradeCode)
				}

				if _, err := tx.ExecContext(ctx, titlesStmt, titlesArgs...); err != nil {
					return ctxerr.Wrap(ctx, err, "pre-insert software_titles")
				}

				// Retrieve the IDs for the titles we just inserted (or that already existed)
				var retrievedTitleSummaries []fleet.SoftwareTitleSummary
				// TODO - include UpgradeCode in the below WHERE (these args) for additional specificity?
				titlePlaceholders := strings.TrimSuffix(strings.Repeat("(?,?,?,?),", len(uniqueTitlesToInsert)), ",")
				queryArgs := make([]interface{}, 0, len(uniqueTitlesToInsert)*4)
				for tk := range uniqueTitlesToInsert {
					title := uniqueTitlesToInsert[tk]
					bundleID := ""
					if title.BundleIdentifier != nil {
						bundleID = *title.BundleIdentifier
					}

					firstArg := title.Name
					if bundleID != "" {
						firstArg = bundleID
					}
					queryArgs = append(queryArgs, firstArg, title.Source, title.ExtensionFor, bundleID)
				}

				stmt := fmt.Sprintf(`SELECT id, name, source, extension_for, bundle_identifier, upgrade_code
					FROM software_titles
					WHERE (COALESCE(bundle_identifier, name), source, extension_for, COALESCE(bundle_identifier, '')) IN (%s)`, titlePlaceholders)

				if err := sqlx.SelectContext(ctx, tx, &retrievedTitleSummaries, stmt, queryArgs...); err != nil {
					return ctxerr.Wrap(ctx, err, "select software titles")
				}

				// Map the titles back to their checksums
				for _, titleSummary := range retrievedTitleSummaries {
					var bundleID string
					if titleSummary.BundleIdentifier != nil {
						bundleID = *titleSummary.BundleIdentifier
					}
					for checksum, title := range newTitlesNeeded {
						var titleBundleID string
						if title.BundleIdentifier != nil {
							titleBundleID = *title.BundleIdentifier
						}
						// For apps with bundle_identifier, match by bundle_identifier (since we may have picked a different name)
						// For others, match by name
						nameMatches := titleSummary.Name == title.Name
						// TODO - similarly match if UpgradeCodes match?
						if bundleID != "" && titleBundleID != "" {
							// Both have bundle_identifier - match by bundle_identifier instead of name
							nameMatches = true
						}
						if nameMatches && titleSummary.Source == title.Source && titleSummary.ExtensionFor == title.ExtensionFor && bundleID == titleBundleID {
							titleIDsByChecksum[checksum] = titleSummary.ID
							// Don't break here - multiple checksums can map to the same title
							// (e.g., when software has same truncated name but different versions (very rare))
						}
					}
				}
			}

			// Insert software entries
			const numberOfArgsPerSoftware = 13
			values := strings.TrimSuffix(
				strings.Repeat("(?,?,?,?,?,?,?,?,?,?,?,?,?),", len(batchKeys)), ",",
			)
			stmt := fmt.Sprintf(
				`INSERT IGNORE INTO software (
					name,
					version,
					source,
					`+"`release`"+`,
					vendor,
					arch,
					bundle_identifier,
					extension_id,
					extension_for,
					title_id,
					checksum,
					application_id,
					upgrade_code
				) VALUES %s`,
				values,
			)

			args := make([]any, 0, len(batchKeys)*numberOfArgsPerSoftware)
			var missingSoftwareTitles []string
			for _, checksum := range batchKeys {
				sw := batchSoftware[checksum]
				var titleID *uint
				// Get the title ID from our combined map
				if id, ok := titleIDsByChecksum[checksum]; ok {
					titleID = &id
				} else {
					// Track software missing title IDs for debugging
					missingSoftwareTitles = append(missingSoftwareTitles,
						fmt.Sprintf("%s %s %s", sw.Name, sw.Version, sw.Source))
				}
				args = append(
					args, sw.Name, sw.Version, sw.Source, sw.Release, sw.Vendor, sw.Arch,
					sw.BundleIdentifier, sw.ExtensionID, sw.ExtensionFor, titleID, checksum, sw.ApplicationID, sw.UpgradeCode,
				)
			}

			// Log an error if we have software without title IDs
			// This shouldn't happen in normal operation. And this code is here to catch bugs.
			if len(missingSoftwareTitles) > 0 && ds.logger != nil {
				exampleCount := 3
				if len(missingSoftwareTitles) < exampleCount {
					exampleCount = len(missingSoftwareTitles)
				}
				level.Error(ds.logger).Log(
					"msg", "inserting software without title_id",
					"count", len(missingSoftwareTitles),
					"examples", strings.Join(missingSoftwareTitles[:exampleCount], "; "),
				)
			}

			if _, err := tx.ExecContext(ctx, stmt, args...); err != nil {
				return ctxerr.Wrap(ctx, err, "pre-insert software")
			}

			return nil
		})
	})

	return err
}

// linkSoftwareToHost links pre-inserted software to a host.
// This assumes software inventory entries already exist.
func (ds *Datastore) linkSoftwareToHost(
	ctx context.Context,
	tx sqlx.ExtContext,
	hostID uint,
	softwareChecksums map[string]fleet.Software,
) ([]fleet.Software, error) {
	var insertsHostSoftware []interface{}
	var insertedSoftware []fleet.Software

	// Build map of all checksums we need to link
	allChecksums := make([]string, 0, len(softwareChecksums))
	for checksum := range softwareChecksums {
		allChecksums = append(allChecksums, checksum)
	}

	// Get all software IDs (they should exist from pre-insertion).
	// This ensures that we're not creating orphaned references (where software was deleted between pre-insertion and now).
	// This DB call could be removed to squeeze our a little more performance at the risk of orphaned references.
	allSoftwareSummaries, err := getExistingSoftwareSummariesByChecksums(ctx, tx, allChecksums)
	if err != nil {
		return nil, err
	}

	// Build ID map
	softwareSummaryByChecksum := make(map[string]softwareSummary)
	for _, s := range allSoftwareSummaries {
		softwareSummaryByChecksum[s.Checksum] = s
	}

	// Link software to host
	for checksum, sw := range softwareChecksums {
		if existing, ok := softwareSummaryByChecksum[checksum]; ok {
			sw.ID = existing.ID
			insertsHostSoftware = append(insertsHostSoftware, hostID, sw.ID, sw.LastOpenedAt)
			insertedSoftware = append(insertedSoftware, sw)
		} else {
			// Log missing software but continue
			level.Warn(ds.logger).Log(
				"msg", "software not found after pre-insertion",
				"checksum", fmt.Sprintf("%x", checksum),
				"name", sw.Name,
				"version", sw.Version,
			)
		}
	}

	// Insert host_software links
	// INSERT IGNORE handles duplicate key errors for idempotency.
	if len(insertsHostSoftware) > 0 {
		values := strings.TrimSuffix(strings.Repeat("(?,?,?),", len(insertsHostSoftware)/3), ",")
		stmt := fmt.Sprintf(`INSERT IGNORE INTO host_software (host_id, software_id, last_opened_at) VALUES %s`, values)
		if _, err := tx.ExecContext(ctx, stmt, insertsHostSoftware...); err != nil {
			return nil, ctxerr.Wrap(ctx, err, "insert host software")
		}
	}

	return insertedSoftware, nil
}

func (ds *Datastore) reconcileExistingTitleEmptyUpgradeCodes(
	ctx context.Context,
	incomingSoftwareByChecksum map[string]fleet.Software,
	incomingChecksumsToExistingTitleSummaries map[string]fleet.SoftwareTitleSummary,
) error {
	existingTitlesToUpgradeCodePtrsToWrite := make(map[uint]oldAndNewUpgradeCodePtrs)

	for swChecksum, sw := range incomingSoftwareByChecksum {
		if sw.UpgradeCode == nil || *sw.UpgradeCode == "" {
			continue
		}

		existingTitleSummary, ok := incomingChecksumsToExistingTitleSummaries[swChecksum]
		if !ok {
			// a new title will be inserted in the next step with the fresh upgrade code, if any, from the incoming software
			continue
		}

		switch {
		case existingTitleSummary.UpgradeCode == nil:
			level.Warn(ds.logger).Log(
				"msg", "Encountered Windows software title with a NULL upgrade_code, which shouldn't be possible. Writing the incoming non-empty upgrade code to the title.",
				"title_id", existingTitleSummary.ID,
				"title_name", existingTitleSummary.Name,
				"source", existingTitleSummary.Source,
				"incoming_upgrade_code", *sw.UpgradeCode,
			)
			existingTitlesToUpgradeCodePtrsToWrite[existingTitleSummary.ID] = oldAndNewUpgradeCodePtrs{old: existingTitleSummary.UpgradeCode, new: sw.UpgradeCode}
		case *existingTitleSummary.UpgradeCode == "":
			existingTitlesToUpgradeCodePtrsToWrite[existingTitleSummary.ID] = oldAndNewUpgradeCodePtrs{old: existingTitleSummary.UpgradeCode, new: sw.UpgradeCode}
		case existingTitleSummary.UpgradeCode != nil && *existingTitleSummary.UpgradeCode != "" && *sw.UpgradeCode != *existingTitleSummary.UpgradeCode:
			// don't update this title
			level.Warn(ds.logger).Log(
				"msg", "Incoming software's upgrade code has changed from the existing title's. The developers of this software may have changed the upgrade code, and this may be worth investigating. Keeping the previous title's upgrade code. This will likely result is some inconsistencies, such as the title's upgrade_code possibly not being returned from the list host software endpoint.",
				"existing_title_id", existingTitleSummary.ID,
				"existing_title_name", existingTitleSummary.Name,
				"existing_title_source", existingTitleSummary.Source,
				"existing_title_upgrade_code", *existingTitleSummary.UpgradeCode,
				"incoming_software_name", sw.Name,
				"incoming_software_source", sw.Source,
				"incoming_software_upgrade_code", *sw.UpgradeCode,
			)
		}
	}

	// Update each title
	for titleID := range existingTitlesToUpgradeCodePtrsToWrite {
		// since this should be a very rare occurrence, no need to batch
		newUcPtr := existingTitlesToUpgradeCodePtrsToWrite[titleID].new
		oldUcPtr := existingTitlesToUpgradeCodePtrsToWrite[titleID].old

		args := []any{newUcPtr, titleID}
		stmt := `UPDATE software_titles SET upgrade_code = ? WHERE id = ? AND upgrade_code`
		if oldUcPtr == nil {
			stmt += " IS NULL"
		} else {
			stmt += " = ?"
			args = append(args, oldUcPtr)
		}
		err := ds.withRetryTxx(ctx, func(tx sqlx.ExtContext) error {
			result, err := tx.ExecContext(ctx, stmt, args...)
			if err != nil {
				return ctxerr.Wrapf(ctx, err, "updating upgrade_code for software_title id: %d", titleID)
			}

			if rowsAffected, _ := result.RowsAffected(); rowsAffected > 0 {
				level.Info(ds.logger).Log(
					"msg", "updated software title upgrade_code",
					"title_id", titleID,
					"new_upgrade_code", newUcPtr,
					"old_upgrade_code", oldUcPtr,
				)
			}
			return nil
		})
		if err != nil {
			return err
		}
	}
	return nil
}

func getExistingSoftwareSummariesByChecksums(ctx context.Context, tx sqlx.QueryerContext, checksums []string) ([]softwareSummary, error) {
	if len(checksums) == 0 {
		return []softwareSummary{}, nil
	}

	stmt, args, err := sqlx.In("SELECT name, id, checksum, title_id, bundle_identifier, source, upgrade_code FROM software WHERE checksum IN (?)", checksums)
	if err != nil {
		return nil, ctxerr.Wrap(ctx, err, "build select software summaries query")
	}
	var existingSoftwareSummaries []softwareSummary
	if err = sqlx.SelectContext(ctx, tx, &existingSoftwareSummaries, stmt, args...); err != nil {
		return nil, ctxerr.Wrap(ctx, err, "get existing software summaries")
	}
	return existingSoftwareSummaries, nil
}

// update host_software when incoming software has a significantly more recent
// last opened timestamp (or didn't have on in currentMap). Note that it only
// processes software that is in both current and incoming maps, as the case
// where it is only in incoming is already handled by
// insertNewInstalledHostSoftwareDB.
func updateModifiedHostSoftwareDB(
	ctx context.Context,
	tx sqlx.ExtContext,
	hostID uint,
	currentMap map[string]fleet.Software,
	incomingMap map[string]fleet.Software,
	minLastOpenedAtDiff time.Duration,
	logger log.Logger,
) error {
	var keysToUpdate []string
	for key, newSw := range incomingMap {
		curSw, ok := currentMap[key]
		// software must exist in current map for us to update it.
		if !ok {
			continue
		}
		// if the new software has no last opened timestamp, log if the current one did
		// (but only for non-apps sources, as apps sources are managed by osquery)
		if newSw.LastOpenedAt == nil {
			if curSw.LastOpenedAt != nil && newSw.Source != "apps" {
				level.Info(logger).Log(
					"msg", "software last_opened_at changed to nil",
					"host_id", hostID,
					"software_id", curSw.ID,
					"software_name", newSw.Name,
					"source", newSw.Source,
				)
			}
			continue
		}
		// update if the new software has been opened more recently.
		if curSw.LastOpenedAt == nil || newSw.LastOpenedAt.Sub(*curSw.LastOpenedAt) >= minLastOpenedAtDiff {
			keysToUpdate = append(keysToUpdate, key)
		}
	}
	sort.Strings(keysToUpdate)

	for i := 0; i < len(keysToUpdate); i += softwareInsertBatchSize {
		start := i
		end := i + softwareInsertBatchSize
		if end > len(keysToUpdate) {
			end = len(keysToUpdate)
		}
		totalToProcess := end - start

		const numberOfArgsPerSoftware = 3 // number of ? in each UPDATE
		// Using UNION ALL (instead of UNION) because it is faster since it does not check for duplicates.
		values := strings.TrimSuffix(
			strings.Repeat(" SELECT ? as host_id, ? as software_id, ? as last_opened_at UNION ALL", totalToProcess), "UNION ALL",
		)
		stmt := fmt.Sprintf(
			`UPDATE host_software hs JOIN (%s) a ON hs.host_id = a.host_id AND hs.software_id = a.software_id SET hs.last_opened_at = a.last_opened_at`,
			values,
		)

		args := make([]interface{}, 0, totalToProcess*numberOfArgsPerSoftware)
		for j := start; j < end; j++ {
			key := keysToUpdate[j]
			curSw, newSw := currentMap[key], incomingMap[key]
			args = append(args, hostID, curSw.ID, newSw.LastOpenedAt)
		}
		if _, err := tx.ExecContext(ctx, stmt, args...); err != nil {
			return ctxerr.Wrap(ctx, err, "update host software")
		}
	}

	return nil
}

func updateSoftwareUpdatedAt(
	ctx context.Context,
	tx sqlx.ExtContext,
	hostID uint,
) error {
	const stmt = `INSERT INTO host_updates(host_id, software_updated_at) VALUES (?, CURRENT_TIMESTAMP) ON DUPLICATE KEY UPDATE software_updated_at=VALUES(software_updated_at)`

	if _, err := tx.ExecContext(ctx, stmt, hostID); err != nil {
		return ctxerr.Wrap(ctx, err, "update host updates")
	}

	return nil
}

var dialect = goqu.Dialect("mysql")

// listSoftwareDB returns software installed on hosts. Use opts for pagination, filtering, and controlling
// fields populated in the returned software.
// Used on software/versions not software/titles
func listSoftwareDB(
	ctx context.Context,
	q sqlx.QueryerContext,
	opts fleet.SoftwareListOptions,
) ([]fleet.Software, error) {
	sql, args, err := selectSoftwareSQL(opts)
	if err != nil {
		return nil, ctxerr.Wrap(ctx, err, "sql build")
	}

	var results []softwareCVE
	if err := sqlx.SelectContext(ctx, q, &results, sql, args...); err != nil {
		return nil, ctxerr.Wrap(ctx, err, "select host software")
	}

	var softwares []fleet.Software
	ids := make(map[uint]int) // map of ids to index into softwares
	for _, result := range results {
		result := result // create a copy because we need to take the address to fields below

		idx, ok := ids[result.ID]
		if !ok {
			idx = len(softwares)
			softwares = append(softwares, result.Software)
			ids[result.ID] = idx
		}

		// handle null cve from left join
		if result.CVE != nil {
			cveID := *result.CVE
			cve := fleet.CVE{
				CVE:         cveID,
				DetailsLink: fmt.Sprintf("https://nvd.nist.gov/vuln/detail/%s", cveID),
				CreatedAt:   *result.CreatedAt,
			}
			if opts.IncludeCVEScores && !opts.WithoutVulnerabilityDetails {
				cve.CVSSScore = &result.CVSSScore
				cve.EPSSProbability = &result.EPSSProbability
				cve.CISAKnownExploit = &result.CISAKnownExploit
				cve.CVEPublished = &result.CVEPublished
				cve.Description = &result.Description
				cve.ResolvedInVersion = &result.ResolvedInVersion
			}
			softwares[idx].Vulnerabilities = append(softwares[idx].Vulnerabilities, cve)
		}

	}

	return softwares, nil
}

// softwareCVE is used for left joins with cve
//
//

type softwareCVE struct {
	fleet.Software

	// CVE is the CVE identifier pulled from the NVD json (e.g. CVE-2019-1234)
	CVE *string `db:"cve"`

	// CVSSScore is the CVSS score pulled from the NVD json (premium only)
	CVSSScore *float64 `db:"cvss_score"`

	// EPSSProbability is the EPSS probability pulled from FIRST (premium only)
	EPSSProbability *float64 `db:"epss_probability"`

	// CISAKnownExploit is the CISAKnownExploit pulled from CISA (premium only)
	CISAKnownExploit *bool `db:"cisa_known_exploit"`

	// CVEPublished is the CVE published date pulled from the NVD json (premium only)
	CVEPublished *time.Time `db:"cve_published"`

	// Description is the CVE description field pulled from the NVD json
	Description *string `db:"description"`

	// ResolvedInVersion is the version of software where the CVE is no longer applicable.
	// This is pulled from the versionEndExcluding field in the NVD json
	ResolvedInVersion *string `db:"resolved_in_version"`

	// CreatedAt is the time the software vulnerability was created
	CreatedAt *time.Time `db:"created_at"`
}

// canUseOptimizedListQuery determines if we can use the fast path query
// that starts FROM software_host_counts instead of software.
func canUseOptimizedListQuery(opts fleet.SoftwareListOptions) bool {
	// Determine the effective order key
	orderKey := opts.ListOptions.OrderKey
	if orderKey == "" {
		orderKey = "hosts_count"
	}

	// Only optimize if:
	// 1. We're listing all software (not filtering by HostID)
	// 2. We're ordering by hosts_count only (covering index requirement)
	// 3. We're not filtering by CVE fields
	// 4. We're not searching (which requires CVE join)
	// 5. We're not using multi-column sorts (e.g., "name,id")
	//
	// The covering index optimization only works when ordering by hosts_count
	// because the inner query uses a covering index scan that only includes
	// (team_id, global_stats, hosts_count DESC, software_id). This dramatically
	// improves performance.
	return opts.HostID == nil &&
		!opts.VulnerableOnly &&
		opts.MinimumCVSS == 0 &&
		opts.MaximumCVSS == 0 &&
		!opts.KnownExploit &&
		opts.ListOptions.MatchQuery == "" &&
		orderKey == "hosts_count" &&
		!isMultiColumnSort(opts.ListOptions.OrderKey)
}

// isMultiColumnSort checks if the order key contains multiple columns (comma-separated)
func isMultiColumnSort(orderKey string) bool {
	return strings.Contains(orderKey, ",")
}

// buildOptimizedListSoftwareSQL builds an optimized query for listing software
// that uses a covering index scan.
//
// This optimization uses a two-stage query approach:
//  1. Inner query: Covering index scan on software_host_counts that only selects
//     indexed columns (software_id, hosts_count). This allows MySQL to read
//     directly from the index without accessing the table.
//  2. Outer query: LEFT JOINs to all necessary tables (software, software_cpe,
//     software_host_counts, software_cve, cve_meta) for only the paginated results.
//
// Eventual consistency: During the hourly SyncHostsSoftware cron job, there's a
// ~50-200ms window where orphaned software_host_counts rows may exist (between
// deleting software entries and deleting orphaned count rows). The LEFT JOIN to
// software with WHERE s.id IS NOT NULL handles this gracefully by filtering out
// any software_ids that don't have matching software rows during this window.
func buildOptimizedListSoftwareSQL(opts fleet.SoftwareListOptions) (string, []interface{}, error) {
	var args []interface{}

	// Determine sort direction. Default is descending for hosts_count.
	// For efficient index usage with ASC queries, reverse both columns in ORDER BY
	// to enable full backward index scan. The index is (team_id, global_stats, hosts_count DESC, software_id).
	// - DESC query: ORDER BY hosts_count DESC, software_id ASC (forward scan, matches index)
	// - ASC query:  ORDER BY hosts_count ASC, software_id DESC (backward scan, full reversal)
	direction := "DESC"
	secondaryDirection := "ASC"
	if opts.ListOptions.OrderDirection == fleet.OrderAscending {
		direction = "ASC"
		secondaryDirection = "DESC"
	}

	// Inner query: covering index scan that only selects indexed columns
	// This allows MySQL to read from the index without accessing the table,
	// which is critical for performance.
	// IMPORTANT: Update this query if modifying idx_software_host_counts_team_global_hosts_desc index.
	// PERFORMANCE ISSUE: The hosts_count > 0 filter causes ASC queries to read the entire index
	// instead of stopping after LIMIT rows like DESC queries do. While both ASC and DESC
	// use the index, DESC can stop early but ASC with a range condition must read all matching rows.
	// RECOMMENDED SOLUTION: Eliminate zero-count rows from this table entirely.
	// This would allow removing the hosts_count > 0 filter, making ASC queries as fast as DESC
	// without requiring a second index. Related issue: https://github.com/fleetdm/fleet/issues/35805
	innerSQL := `
		SELECT
			shc.software_id,
			shc.hosts_count
		FROM software_host_counts shc
		WHERE shc.hosts_count > 0
	`

	// Apply team filtering with global_stats
	switch {
	case opts.TeamID == nil:
		innerSQL += " AND shc.team_id = 0 AND shc.global_stats = 1"
	case *opts.TeamID == 0:
		innerSQL += " AND shc.team_id = 0 AND shc.global_stats = 0"
	default:
		innerSQL += " AND shc.team_id = ? AND shc.global_stats = 0"
		args = append(args, *opts.TeamID)
	}

	// software_id is the secondary key to make ordering deterministic
	innerSQL += " ORDER BY shc.hosts_count " + direction + ", shc.software_id " + secondaryDirection

	// Apply pagination
	perPage := opts.ListOptions.PerPage
	if perPage == 0 {
		perPage = defaultSelectLimit
	}

	offset := perPage * opts.ListOptions.Page

	// Request one extra row to determine if there are more results (only if pagination metadata is requested)
	if opts.ListOptions.IncludeMetadata {
		perPage++
	}

	innerSQL += " LIMIT ?"
	args = append(args, perPage)

	if offset > 0 {
		innerSQL += " OFFSET ?"
		args = append(args, offset)
	}

	// Outer query: LEFT JOIN to all necessary tables for the paginated results only.
	outerSQL := `
		SELECT
			s.id,
			s.name,
			s.version,
			s.source,
			s.bundle_identifier,
			s.extension_id,
			s.extension_for,
			s.release,
			s.vendor,
			s.arch,
			s.application_id,
			s.title_id,
			s.upgrade_code,
			COALESCE(scp.cpe, '') AS generated_cpe,
			scv.cve,
			scv.created_at
	`

	if opts.IncludeCVEScores {
		outerSQL += `,
			c.cvss_score,
			c.epss_probability,
			c.cisa_known_exploit,
			c.description,
			c.published AS cve_published,
			scv.resolved_in_version
		`
	}

	if opts.WithHostCounts {
		outerSQL += `,
			top.hosts_count,
			shc.updated_at AS counts_updated_at
		`
	}

	outerSQL += `
		FROM (` + innerSQL + `) AS top
		LEFT JOIN software s ON s.id = top.software_id
		LEFT JOIN software_cpe scp ON scp.software_id = top.software_id
	`

	// Join back to software_host_counts to get updated_at.
	// We do this in the outer query because the updated_at field is not part of the covering index.
	if opts.WithHostCounts {
		switch {
		case opts.TeamID == nil:
			outerSQL += `
		LEFT JOIN software_host_counts shc ON shc.software_id = top.software_id
			AND shc.team_id = 0 AND shc.global_stats = 1
			`
		case *opts.TeamID == 0:
			outerSQL += `
		LEFT JOIN software_host_counts shc ON shc.software_id = top.software_id
			AND shc.team_id = 0 AND shc.global_stats = 0
			`
		default:
			outerSQL += `
		LEFT JOIN software_host_counts shc ON shc.software_id = top.software_id
			AND shc.team_id = ? AND shc.global_stats = 0
			`
			args = append(args, *opts.TeamID)
		}
	}

	outerSQL += `
		LEFT JOIN software_cve scv ON scv.software_id = top.software_id
	`

	if opts.IncludeCVEScores {
		outerSQL += `
		LEFT JOIN cve_meta c ON c.cve = scv.cve
		`
	}

	// Filter out any orphaned software_ids (eventual consistency handling)
	outerSQL += `
		WHERE s.id IS NOT NULL
	`

	// software_id is the secondary key to make ordering deterministic
	outerSQL += " ORDER BY top.hosts_count " + direction + ", top.software_id " + secondaryDirection

	return outerSQL, args, nil
}

func selectSoftwareSQL(opts fleet.SoftwareListOptions) (string, []interface{}, error) {
	// Fast path: optimized query for the common case of listing all software
	// without CVE filters/ordering.
	if canUseOptimizedListQuery(opts) {
		return buildOptimizedListSoftwareSQL(opts)
	}

	// Fallback to the original goqu-based query builder for complex cases
	ds := dialect.
		From(goqu.I("software").As("s")).
		Select(
			"s.id",
			"s.name",
			"s.version",
			"s.source",
			"s.bundle_identifier",
			"s.extension_id",
			"s.extension_for",
			"s.release",
			"s.vendor",
			"s.arch",
			"s.application_id",
			"s.title_id",
			"s.upgrade_code",
			goqu.I("scp.cpe").As("generated_cpe"),
		).
		// Include this in the sub-query in case we want to sort by 'generated_cpe'
		LeftJoin(
			goqu.I("software_cpe").As("scp"),
			goqu.On(
				goqu.I("s.id").Eq(goqu.I("scp.software_id")),
			),
		)

	if opts.HostID != nil {
		ds = ds.
			Join(
				goqu.I("host_software").As("hs"),
				goqu.On(
					goqu.I("hs.software_id").Eq(goqu.I("s.id")),
					goqu.I("hs.host_id").Eq(opts.HostID),
				),
			).
			SelectAppend("hs.last_opened_at")
		if opts.TeamID != nil {
			ds = ds.
				Join(
					goqu.I("hosts").As("h"),
					goqu.On(
						goqu.I("hs.host_id").Eq(goqu.I("h.id")),
						goqu.I("h.team_id").Eq(opts.TeamID),
					),
				)
		}

	} else {
		// When loading software from all hosts, filter out software that is not associated with any
		// hosts.
		ds = ds.
			Join(
				goqu.I("software_host_counts").As("shc"),
				goqu.On(
					goqu.I("s.id").Eq(goqu.I("shc.software_id")),
					goqu.I("shc.hosts_count").Gt(0),
				),
			).
			GroupByAppend(
				"shc.hosts_count",
				"shc.updated_at",
				"shc.global_stats",
				"shc.team_id",
			)

		if opts.TeamID == nil { //nolint:gocritic // ignore ifElseChain
			ds = ds.Where(
				goqu.And(
					goqu.I("shc.team_id").Eq(0),
					goqu.I("shc.global_stats").Eq(1),
				),
			)
		} else if *opts.TeamID == 0 {
			ds = ds.Where(
				goqu.And(
					goqu.I("shc.team_id").Eq(0),
					goqu.I("shc.global_stats").Eq(0),
				),
			)
		} else {
			ds = ds.Where(
				goqu.And(
					goqu.I("shc.team_id").Eq(*opts.TeamID),
					goqu.I("shc.global_stats").Eq(0),
				),
			)
		}
	}

	if opts.VulnerableOnly {
		ds = ds.
			Join(
				goqu.I("software_cve").As("scv"),
				goqu.On(goqu.I("s.id").Eq(goqu.I("scv.software_id"))),
			)
	} else if !opts.WithoutVulnerabilityDetails || opts.IncludeCVEScores || opts.ListOptions.MatchQuery != "" {
		// LEFT JOIN software_cve if:
		// 1. We need CVE details in the list (!WithoutVulnerabilityDetails), OR
		// 2. We need CVE scores for ordering/filtering (IncludeCVEScores), OR
		// 3. We have a search query (MatchQuery) that might be searching for CVEs
		//
		// When WithoutVulnerabilityDetails=true AND IncludeCVEScores=false AND MatchQuery is empty,
		// we can skip this join entirely in the subquery. The outer query will fetch CVEs only for
		// the paginated results, which is much more efficient.
		ds = ds.
			LeftJoin(
				goqu.I("software_cve").As("scv"),
				goqu.On(goqu.I("s.id").Eq(goqu.I("scv.software_id"))),
			)
	}

	if opts.IncludeCVEScores {

		baseJoinConditions := goqu.Ex{
			"c.cve": goqu.I("scv.cve"),
		}

		if opts.KnownExploit || opts.MinimumCVSS > 0 || opts.MaximumCVSS > 0 {

			if opts.KnownExploit {
				baseJoinConditions["c.cisa_known_exploit"] = true
			}

			if opts.MinimumCVSS > 0 {
				baseJoinConditions["c.cvss_score"] = goqu.Op{"gte": opts.MinimumCVSS}
			}

			if opts.MaximumCVSS > 0 {
				baseJoinConditions["c.cvss_score"] = goqu.Op{"lte": opts.MaximumCVSS}
			}

			ds = ds.InnerJoin(
				goqu.I("cve_meta").As("c"),
				goqu.On(baseJoinConditions),
			)

		} else {
			ds = ds.
				LeftJoin(
					goqu.I("cve_meta").As("c"),
					goqu.On(baseJoinConditions),
				)
		}

		ds = ds.SelectAppend(
			goqu.MAX("c.cvss_score").As("cvss_score"),                     // for ordering
			goqu.MAX("c.epss_probability").As("epss_probability"),         // for ordering
			goqu.MAX("c.cisa_known_exploit").As("cisa_known_exploit"),     // for ordering
			goqu.MAX("c.published").As("cve_published"),                   // for ordering
			goqu.MAX("c.description").As("description"),                   // for ordering
			goqu.MAX("scv.resolved_in_version").As("resolved_in_version"), // for ordering
		)
	}

	if match := opts.ListOptions.MatchQuery; match != "" {
		match = likePattern(match)
		ds = ds.Where(
			goqu.Or(
				goqu.I("s.name").ILike(match),
				goqu.I("s.version").ILike(match),
				goqu.I("scv.cve").ILike(match),
			),
		)
	}

	if opts.WithHostCounts {
		ds = ds.
			SelectAppend(
				goqu.I("shc.hosts_count"),
				goqu.I("shc.updated_at").As("counts_updated_at"),
			)
	}

	ds = ds.GroupBy(
		"s.id",
		"s.name",
		"s.version",
		"s.source",
		"s.bundle_identifier",
		"s.extension_id",
		"s.extension_for",
		"s.release",
		"s.vendor",
		"s.arch",
		"generated_cpe",
	)

	// Pagination is a bit more complex here due to the join with software_cve table and aggregated columns from cve_meta table.
	// Apply order by again after joining on sub query
	ds = appendListOptionsToSelect(ds, opts.ListOptions)

	// join on software_cve and cve_meta after apply pagination using the sub-query above
	ds = dialect.From(ds.As("s")).
		Select(
			"s.id",
			"s.name",
			"s.version",
			"s.source",
			"s.bundle_identifier",
			"s.extension_id",
			"s.extension_for",
			"s.release",
			"s.vendor",
			"s.arch",
			"s.application_id",
			"s.title_id",
			"s.upgrade_code",
			goqu.COALESCE(goqu.I("s.generated_cpe"), "").As("generated_cpe"),
			"scv.cve",
			"scv.created_at",
		).
		LeftJoin(
			goqu.I("software_cve").As("scv"),
			goqu.On(goqu.I("scv.software_id").Eq(goqu.I("s.id"))),
		).
		LeftJoin(
			goqu.I("cve_meta").As("c"),
			goqu.On(goqu.I("c.cve").Eq(goqu.I("scv.cve"))),
		)

	// select optional columns
	if opts.IncludeCVEScores {
		ds = ds.SelectAppend(
			"c.cvss_score",
			"c.epss_probability",
			"c.cisa_known_exploit",
			"c.description",
			goqu.I("c.published").As("cve_published"),
			"scv.resolved_in_version",
		)
	}

	if opts.HostID != nil {
		ds = ds.SelectAppend(
			goqu.I("s.last_opened_at"),
		)
	}

	if opts.WithHostCounts {
		ds = ds.SelectAppend(
			goqu.I("s.hosts_count"),
			goqu.I("s.counts_updated_at"),
		)
	}

	ds = appendOrderByToSelect(ds, opts.ListOptions)

	return ds.ToSQL()
}

func countSoftwareDB(
	ctx context.Context,
	q sqlx.QueryerContext,
	opts fleet.SoftwareListOptions,
) (int, error) {
	if opts.HostID != nil {
		// For specific host queries, fall back to wrapping the complex selectSoftwareSQL query
		opts.ListOptions = fleet.ListOptions{
			MatchQuery: opts.ListOptions.MatchQuery,
		}
		stmt, sqlArgs, err := selectSoftwareSQL(opts)
		if err != nil {
			return 0, ctxerr.Wrap(ctx, err, "sql build")
		}
		stmt = `SELECT COUNT(DISTINCT s.id) FROM (` + stmt + `) AS s`
		var count int
		if err := sqlx.GetContext(ctx, q, &count, stmt, sqlArgs...); err != nil {
			return 0, ctxerr.Wrap(ctx, err, "count host software")
		}
		return count, nil
	}

	// For listing all software, use optimized query starting from software_host_counts
	// Add joins only if needed for filtering
	needsSoftwareJoin := opts.ListOptions.MatchQuery != ""
	needsCVEJoin := opts.VulnerableOnly || opts.ListOptions.MatchQuery != ""
	needsCVEMetaJoin := opts.KnownExploit || opts.MinimumCVSS > 0 || opts.MaximumCVSS > 0

	// Ensure CVE join exists if we need to join cve_meta
	if needsCVEMetaJoin {
		needsCVEJoin = true
	}

	// Use COUNT(*) when no joins are needed (faster since primary key guarantees uniqueness)
	// Use COUNT(DISTINCT) when joins could create duplicate rows
	countFunc := "COUNT(*)"
	if needsSoftwareJoin || needsCVEJoin {
		countFunc = "COUNT(DISTINCT shc.software_id)"
	}

	countSQL := fmt.Sprintf(`
		SELECT %s
		FROM software_host_counts shc
	`, countFunc)

	if needsSoftwareJoin {
		countSQL += ` INNER JOIN software s ON s.id = shc.software_id`
	}

	if needsCVEJoin {
		if opts.VulnerableOnly {
			countSQL += ` INNER JOIN software_cve scv ON scv.software_id = shc.software_id`
		} else {
			countSQL += ` LEFT JOIN software_cve scv ON scv.software_id = shc.software_id`
		}
	}

	if needsCVEMetaJoin {
		countSQL += ` INNER JOIN cve_meta c ON c.cve = scv.cve`
	}

	countSQL += ` WHERE shc.hosts_count > 0`

	var args []interface{}
	var whereClauses []string
	// Apply team filtering with global_stats
	switch {
	case opts.TeamID == nil:
		whereClauses = append(whereClauses, "shc.team_id = 0", "shc.global_stats = 1")
	case *opts.TeamID == 0:
		whereClauses = append(whereClauses, "shc.team_id = 0", "shc.global_stats = 0")
	default:
		whereClauses = append(whereClauses, "shc.team_id = ?", "shc.global_stats = 0")
		args = append(args, *opts.TeamID)
	}

	// Apply CVE filtering
	if opts.KnownExploit {
		whereClauses = append(whereClauses, "c.cisa_known_exploit = 1")
	}
	if opts.MinimumCVSS > 0 {
		whereClauses = append(whereClauses, "c.cvss_score >= ?")
		args = append(args, opts.MinimumCVSS)
	}
	if opts.MaximumCVSS > 0 {
		whereClauses = append(whereClauses, "c.cvss_score <= ?")
		args = append(args, opts.MaximumCVSS)
	}

	// Apply search filter
	if match := opts.ListOptions.MatchQuery; match != "" {
		match = likePattern(match)
		whereClauses = append(whereClauses, "(s.name LIKE ? OR s.version LIKE ? OR scv.cve LIKE ?)")
		args = append(args, match, match, match)
	}

	// Add all WHERE clauses
	for _, clause := range whereClauses {
		countSQL += " AND " + clause
	}

	var count int
	if err := sqlx.GetContext(ctx, q, &count, countSQL, args...); err != nil {
		return 0, ctxerr.Wrap(ctx, err, "count software")
	}

	return count, nil
}

func (ds *Datastore) LoadHostSoftware(ctx context.Context, host *fleet.Host, includeCVEScores bool) error {
	opts := fleet.SoftwareListOptions{
		HostID:           &host.ID,
		IncludeCVEScores: includeCVEScores,
	}
	software, err := listSoftwareDB(ctx, ds.reader(ctx), opts)
	if err != nil {
		return err
	}

	installedPaths, err := ds.getHostSoftwareInstalledPaths(
		ctx,
		host.ID,
	)
	if err != nil {
		return err
	}

	installedPathsList := make(map[uint][]string)
	pathSignatureInformation := make(map[uint][]fleet.PathSignatureInformation)
	for _, ip := range installedPaths {
		installedPathsList[ip.SoftwareID] = append(installedPathsList[ip.SoftwareID], ip.InstalledPath)
		pathSignatureInformation[ip.SoftwareID] = append(pathSignatureInformation[ip.SoftwareID], fleet.PathSignatureInformation{
			InstalledPath:  ip.InstalledPath,
			TeamIdentifier: ip.TeamIdentifier,
			HashSha256:     ip.ExecutableSHA256,
		})
	}

	host.Software = make([]fleet.HostSoftwareEntry, 0, len(software))
	for _, s := range software {
		host.Software = append(host.Software, fleet.HostSoftwareEntry{
			Software:                 s,
			InstalledPaths:           installedPathsList[s.ID],
			PathSignatureInformation: pathSignatureInformation[s.ID],
		})
	}
	return nil
}

type softwareIterator struct {
	rows *sqlx.Rows
}

func (si *softwareIterator) Value() (*fleet.Software, error) {
	dest := fleet.Software{}
	err := si.rows.StructScan(&dest)
	if err != nil {
		return nil, err
	}
	return &dest, nil
}

func (si *softwareIterator) Err() error {
	return si.rows.Err()
}

func (si *softwareIterator) Close() error {
	return si.rows.Close()
}

func (si *softwareIterator) Next() bool {
	return si.rows.Next()
}

// AllSoftwareIterator Returns an iterator for the 'software' table, filtering out
// software entries based on the 'query' param. The rows.Close call is done by the caller once
// iteration using the returned fleet.SoftwareIterator is done.
func (ds *Datastore) AllSoftwareIterator(
	ctx context.Context,
	query fleet.SoftwareIterQueryOptions,
) (fleet.SoftwareIterator, error) {
	if !query.IsValid() {
		return nil, fmt.Errorf("invalid query params %+v", query)
	}

	var err error
	var args []interface{}

	stmt := `SELECT
		s.id, s.name, s.version, s.source, s.bundle_identifier, s.release, s.arch, s.vendor, s.extension_for, s.extension_id, s.title_id,
		COALESCE(sc.cpe, '') AS generated_cpe
		FROM software s
	LEFT JOIN software_cpe sc ON (s.id=sc.software_id)`

	var conditionals []string

	if len(query.ExcludedSources) != 0 {
		conditionals = append(conditionals, "s.source NOT IN (?)")
		args = append(args, query.ExcludedSources)
	}

	if len(query.IncludedSources) != 0 {
		conditionals = append(conditionals, "s.source IN (?)")
		args = append(args, query.IncludedSources)
	}

	if query.NameMatch != "" {
		conditionals = append(conditionals, "s.name REGEXP ?")
		args = append(args, query.NameMatch)
	}

	if query.NameExclude != "" {
		conditionals = append(conditionals, "s.name NOT REGEXP ?")
		args = append(args, query.NameExclude)
	}

	if len(conditionals) != 0 {
		stmt += " WHERE " + strings.Join(conditionals, " AND ")
	}

	stmt, args, err = sqlx.In(stmt, args...)
	if err != nil {
		return nil, fmt.Errorf("error building 'In' query part on software iterator: %w", err)
	}

	rows, err := ds.reader(ctx).QueryxContext(ctx, stmt, args...) //nolint:sqlclosecheck
	if err != nil {
		return nil, fmt.Errorf("executing all software iterator %w", err)
	}
	return &softwareIterator{rows: rows}, nil
}

func (ds *Datastore) UpsertSoftwareCPEs(ctx context.Context, cpes []fleet.SoftwareCPE) (int64, error) {
	var args []interface{}

	if len(cpes) == 0 {
		return 0, nil
	}

	values := strings.TrimSuffix(strings.Repeat("(?,?),", len(cpes)), ",")
	sql := fmt.Sprintf(
		`INSERT INTO software_cpe (software_id, cpe) VALUES %s ON DUPLICATE KEY UPDATE cpe = VALUES(cpe)`,
		values,
	)

	for _, cpe := range cpes {
		args = append(args, cpe.SoftwareID, cpe.CPE)
	}
	res, err := ds.writer(ctx).ExecContext(ctx, sql, args...)
	if err != nil {
		return 0, ctxerr.Wrap(ctx, err, "insert software cpes")
	}
	count, _ := res.RowsAffected()

	return count, nil
}

func (ds *Datastore) DeleteSoftwareCPEs(ctx context.Context, cpes []fleet.SoftwareCPE) (int64, error) {
	if len(cpes) == 0 {
		return 0, nil
	}

	stmt := `DELETE FROM software_cpe WHERE (software_id) IN (?)`

	softwareIDs := make([]uint, 0, len(cpes))
	for _, cpe := range cpes {
		softwareIDs = append(softwareIDs, cpe.SoftwareID)
	}

	query, args, err := sqlx.In(stmt, softwareIDs)
	if err != nil {
		return 0, ctxerr.Wrap(ctx, err, "error building 'In' query part when deleting software CPEs")
	}

	res, err := ds.writer(ctx).ExecContext(ctx, query, args...)
	if err != nil {
		return 0, ctxerr.Wrapf(ctx, err, "deleting cpes software")
	}

	count, _ := res.RowsAffected()

	return count, nil
}

func (ds *Datastore) ListSoftwareCPEs(ctx context.Context) ([]fleet.SoftwareCPE, error) {
	var result []fleet.SoftwareCPE

	var err error
	var args []interface{}

	stmt := `SELECT id, software_id, cpe FROM software_cpe`
	err = sqlx.SelectContext(ctx, ds.reader(ctx), &result, stmt, args...)
	if err != nil {
		return nil, ctxerr.Wrap(ctx, err, "loads cpes")
	}
	return result, nil
}

func (ds *Datastore) ListSoftware(ctx context.Context, opt fleet.SoftwareListOptions) ([]fleet.Software, *fleet.PaginationMetadata, error) {
	if !opt.VulnerableOnly && (opt.MinimumCVSS > 0 || opt.MaximumCVSS > 0 || opt.KnownExploit) {
		return nil, nil, fleet.NewInvalidArgumentError(
			"query", "min_cvss_score, max_cvss_score, and exploit can only be provided with vulnerable=true",
		)
	}

	software, err := listSoftwareDB(ctx, ds.reader(ctx), opt)
	if err != nil {
		return nil, nil, err
	}

	var titleIDs []uint
	for _, s := range software {
		if s.TitleID != nil {
			titleIDs = append(titleIDs, *s.TitleID)
		}
	}

	var tmID uint
	if opt.TeamID != nil {
		tmID = *opt.TeamID
	}
	displayNames, err := ds.getDisplayNamesByTeamAndTitleIds(ctx, tmID, titleIDs)
	if err != nil && !fleet.IsNotFound(err) {
		return nil, nil, ctxerr.Wrap(ctx, err, "get software display names by team and title IDs")
	}

	for i, s := range software {
		if s.TitleID != nil {
			if displayName, ok := displayNames[*s.TitleID]; ok {
				software[i].DisplayName = displayName
			}
		}
	}

	perPage := opt.ListOptions.PerPage
	var metaData *fleet.PaginationMetadata
	if opt.ListOptions.IncludeMetadata {
		if perPage <= 0 {
			perPage = defaultSelectLimit
		}
		metaData = &fleet.PaginationMetadata{HasPreviousResults: opt.ListOptions.Page > 0}
		if len(software) > int(perPage) { //nolint:gosec // dismiss G115
			metaData.HasNextResults = true
			software = software[:len(software)-1]
		}
	}

	return software, metaData, nil
}

func (ds *Datastore) CountSoftware(ctx context.Context, opt fleet.SoftwareListOptions) (int, error) {
	return countSoftwareDB(ctx, ds.reader(ctx), opt)
}

// DeleteSoftwareVulnerabilities deletes the given list of software vulnerabilities
func (ds *Datastore) DeleteSoftwareVulnerabilities(ctx context.Context, vulnerabilities []fleet.SoftwareVulnerability) error {
	if len(vulnerabilities) == 0 {
		return nil
	}

	sql := fmt.Sprintf(
		`DELETE FROM software_cve WHERE (software_id, cve) IN (%s)`,
		strings.TrimSuffix(strings.Repeat("(?,?),", len(vulnerabilities)), ","),
	)
	var args []interface{}
	for _, vulnerability := range vulnerabilities {
		args = append(args, vulnerability.SoftwareID, vulnerability.CVE)
	}
	if _, err := ds.writer(ctx).ExecContext(ctx, sql, args...); err != nil {
		return ctxerr.Wrapf(ctx, err, "deleting vulnerable software")
	}
	return nil
}

func (ds *Datastore) DeleteOutOfDateVulnerabilities(ctx context.Context, source fleet.VulnerabilitySource, olderThan time.Time) error {
	if _, err := ds.writer(ctx).ExecContext(
		ctx,
		`DELETE FROM software_cve WHERE source = ? AND updated_at < ?`,
		source, olderThan,
	); err != nil {
		return ctxerr.Wrap(ctx, err, "deleting out of date vulnerabilities")
	}
	return nil
}

func (ds *Datastore) SoftwareByID(ctx context.Context, id uint, teamID *uint, includeCVEScores bool, tmFilter *fleet.TeamFilter) (*fleet.Software, error) {
	q := dialect.From(goqu.I("software").As("s")).
		Select(
			"s.id",
			"s.name",
			"s.version",
			"s.source",
			"s.extension_for",
			"s.bundle_identifier",
			"s.upgrade_code",
			"s.release",
			"s.vendor",
			"s.arch",
			"s.extension_id",
			"s.title_id",
			"scv.cve",
			"scv.created_at",
			goqu.COALESCE(goqu.I("scp.cpe"), "").As("generated_cpe"),
		).
		LeftJoin(
			goqu.I("software_cpe").As("scp"),
			goqu.On(
				goqu.I("s.id").Eq(goqu.I("scp.software_id")),
			),
		).
		LeftJoin(
			goqu.I("software_cve").As("scv"),
			goqu.On(goqu.I("s.id").Eq(goqu.I("scv.software_id"))),
		)

	// join only on software_id as we'll need counts for all teams
	// to filter down to the team's the user has access to
	if tmFilter != nil {
		q = q.LeftJoin(
			goqu.I("software_host_counts").As("shc"),
			goqu.On(goqu.I("s.id").Eq(goqu.I("shc.software_id"))),
		)
	}

	if includeCVEScores {
		q = q.
			LeftJoin(
				goqu.I("cve_meta").As("c"),
				goqu.On(goqu.I("c.cve").Eq(goqu.I("scv.cve"))),
			).
			SelectAppend(
				"c.cvss_score",
				"c.epss_probability",
				"c.cisa_known_exploit",
				"c.description",
				goqu.I("c.published").As("cve_published"),
				"scv.resolved_in_version",
			)
	}

	q = q.Where(goqu.I("s.id").Eq(id))
	// If teamID is not specified, we still return the software even if it is not associated with any hosts.
	// Software is cleaned up by a cron job, so it is possible to have software in software_hosts_counts that has been deleted from a host.
	if teamID != nil {
		// If teamID filter is used, host counts need to be up-to-date.
		// This should generally be the case, since unused software is cleared when host counts are updated.
		// However, it is possible that the software was deleted from all hosts after the last host count update.
		q = q.Where(
			goqu.L(
				"EXISTS (SELECT 1 FROM software_host_counts WHERE software_id = ? AND team_id = ? AND hosts_count > 0 AND global_stats = 0)", id, *teamID,
			),
		)
	}

	// filter by teams
	if tmFilter != nil {
		q = q.Where(goqu.L(ds.whereFilterGlobalOrTeamIDByTeams(*tmFilter, "shc")))
	}

	sql, args, err := q.ToSQL()
	if err != nil {
		return nil, err
	}

	var results []softwareCVE
	err = sqlx.SelectContext(ctx, ds.reader(ctx), &results, sql, args...)
	if err != nil {
		return nil, ctxerr.Wrap(ctx, err, "get software")
	}

	if len(results) == 0 {
		return nil, ctxerr.Wrap(ctx, notFound("Software").WithID(id))
	}

	var software fleet.Software
	for i, result := range results {
		result := result // create a copy because we need to take the address to fields below

		if i == 0 {
			software = result.Software
		}

		var tmID uint
		if teamID != nil {
			tmID = *teamID
		}

		if software.TitleID != nil {
			displayName, err := ds.getSoftwareTitleDisplayName(ctx, tmID, *software.TitleID)
			if err != nil && !fleet.IsNotFound(err) {
				return nil, ctxerr.Wrap(ctx, err, "getting display name for software")
			}
			software.DisplayName = displayName
		}

		if result.CVE != nil {
			cveID := *result.CVE
			cve := fleet.CVE{
				CVE:         cveID,
				DetailsLink: fmt.Sprintf("https://nvd.nist.gov/vuln/detail/%s", cveID),
				CreatedAt:   *result.CreatedAt,
			}
			if includeCVEScores {
				cve.CVSSScore = &result.CVSSScore
				cve.EPSSProbability = &result.EPSSProbability
				cve.CISAKnownExploit = &result.CISAKnownExploit
				cve.CVEPublished = &result.CVEPublished
				cve.ResolvedInVersion = &result.ResolvedInVersion
			}
			software.Vulnerabilities = append(software.Vulnerabilities, cve)
		}
	}

	return &software, nil
}

// SyncHostsSoftware calculates the number of hosts having each
// software installed and stores that information in the software_host_counts
// table.
//
// After aggregation, it cleans up unused software (e.g. software installed
// on removed hosts, software uninstalled on hosts, etc.)
func (ds *Datastore) SyncHostsSoftware(ctx context.Context, updatedAt time.Time) error {
	const (
		resetStmt = `
      UPDATE software_host_counts
      SET hosts_count = 0, updated_at = ?`

		// team_id is added to the select list to have the same structure as
		// the teamCountsStmt, making it easier to use a common implementation
		globalCountsStmt = `
      SELECT count(*), 0 as team_id, software_id, 1 as global_stats
      FROM host_software
      WHERE software_id > ? AND software_id <= ?
      GROUP BY software_id`

		teamCountsStmt = `
      SELECT count(*), h.team_id, hs.software_id, 0 as global_stats
      FROM host_software hs
      INNER JOIN hosts h
      ON hs.host_id = h.id
      WHERE h.team_id IS NOT NULL AND hs.software_id > ? AND hs.software_id <= ?
      GROUP BY hs.software_id, h.team_id`

		noTeamCountsStmt = `
      SELECT count(*), 0 as team_id, software_id, 0 as global_stats
      FROM host_software hs
      INNER JOIN hosts h
      ON hs.host_id = h.id
      WHERE h.team_id IS NULL AND hs.software_id > ? AND hs.software_id <= ?
      GROUP BY hs.software_id`

		insertStmt = `
      INSERT INTO software_host_counts
        (software_id, hosts_count, team_id, global_stats, updated_at)
      VALUES
        %s
      ON DUPLICATE KEY UPDATE
        hosts_count = VALUES(hosts_count),
        updated_at = VALUES(updated_at)`

		valuesPart = `(?, ?, ?, ?, ?),`

		// We must ensure that software is not in host_software table before deleting it.
		// This prevents a race condition where a host just added the software, but it is not part of software_host_counts yet.
		// When a host adds software, software table and host_software table are updated in the same transaction.
		cleanupSoftwareStmt = `
      DELETE s
      FROM software s
      LEFT JOIN software_host_counts shc
      ON s.id = shc.software_id
      WHERE
        (shc.software_id IS NULL OR
        (shc.team_id = 0 AND shc.hosts_count = 0)) AND
		NOT EXISTS (SELECT 1 FROM host_software hsw WHERE hsw.software_id = s.id)
	  `

		cleanupOrphanedStmt = `
		  DELETE shc
		  FROM
		    software_host_counts shc
		    LEFT JOIN software s ON s.id = shc.software_id
		  WHERE
		    s.id IS NULL
		`

		cleanupTeamStmt = `
      DELETE shc
      FROM software_host_counts shc
      LEFT JOIN teams t
      ON t.id = shc.team_id
      WHERE
        shc.team_id > 0 AND
        t.id IS NULL`
	)

	// first, reset all counts to 0
	if _, err := ds.writer(ctx).ExecContext(ctx, resetStmt, updatedAt); err != nil {
		return ctxerr.Wrap(ctx, err, "reset all software_host_counts to 0")
	}

	db := ds.reader(ctx)

	// Figure out how many software items we need to count.
	type minMaxIDs struct {
		Min uint64 `db:"min"`
		Max uint64 `db:"max"`
	}
	minMax := minMaxIDs{}
	err := sqlx.GetContext(
		ctx, db, &minMax, "SELECT COALESCE(MIN(software_id),1) as min, COALESCE(MAX(software_id),0) as max FROM host_software",
	)
	if err != nil {
		return ctxerr.Wrap(ctx, err, "get min/max software_id")
	}
	if minMax.Min == 0 {
		minMax.Min = 1
		level.Warn(ds.logger).Log("msg", "software_id 0 found in host_software table; performing counts without those entries")
	}

	for minSoftwareID, maxSoftwareID := minMax.Min-1, minMax.Min-1+countHostSoftwareBatchSize; minSoftwareID < minMax.Max; minSoftwareID, maxSoftwareID = maxSoftwareID, maxSoftwareID+countHostSoftwareBatchSize {

		// next get a cursor for the global and team counts for each software
		stmtLabel := []string{"global", "team", "noteam"}
		for i, countStmt := range []string{globalCountsStmt, teamCountsStmt, noTeamCountsStmt} {
			rows, err := db.QueryContext(ctx, countStmt, minSoftwareID, maxSoftwareID)
			if err != nil {
				return ctxerr.Wrapf(ctx, err, "read %s counts from host_software", stmtLabel[i])
			}
			defer rows.Close()

			// use a loop to iterate to prevent loading all in one go in memory, as it
			// could get pretty big at >100K hosts with 1000+ software each. Use a write
			// batch to prevent making too many single-row inserts.
			const batchSize = 100
			var batchCount int
			args := make([]interface{}, 0, batchSize*4)
			for rows.Next() {
				var (
					count        int
					teamID       uint
					sid          uint
					global_stats bool
				)

				if err := rows.Scan(&count, &teamID, &sid, &global_stats); err != nil {
					return ctxerr.Wrapf(ctx, err, "scan %s row into variables", stmtLabel[i])
				}

				args = append(args, sid, count, teamID, global_stats, updatedAt)
				batchCount++

				if batchCount == batchSize {
					values := strings.TrimSuffix(strings.Repeat(valuesPart, batchCount), ",")
					if _, err := ds.writer(ctx).ExecContext(ctx, fmt.Sprintf(insertStmt, values), args...); err != nil {
						return ctxerr.Wrapf(ctx, err, "insert %s batch into software_host_counts", stmtLabel[i])
					}

					args = args[:0]
					batchCount = 0
				}
			}
			if batchCount > 0 {
				values := strings.TrimSuffix(strings.Repeat(valuesPart, batchCount), ",")
				if _, err := ds.writer(ctx).ExecContext(ctx, fmt.Sprintf(insertStmt, values), args...); err != nil {
					return ctxerr.Wrapf(ctx, err, "insert last %s batch into software_host_counts", stmtLabel[i])
				}
			}
			if err := rows.Err(); err != nil {
				return ctxerr.Wrapf(ctx, err, "iterate over %s host_software counts", stmtLabel[i])
			}
			rows.Close()
		}

	}

	// remove any unused software (global counts = 0)
	if _, err := ds.writer(ctx).ExecContext(ctx, cleanupSoftwareStmt); err != nil {
		return ctxerr.Wrap(ctx, err, "delete unused software")
	}

	// remove any software count row for software that don't exist anymore
	if _, err := ds.writer(ctx).ExecContext(ctx, cleanupOrphanedStmt); err != nil {
		return ctxerr.Wrap(ctx, err, "delete software_host_counts for non-existing software")
	}

	// remove any software count row for teams that don't exist anymore
	if _, err := ds.writer(ctx).ExecContext(ctx, cleanupTeamStmt); err != nil {
		return ctxerr.Wrap(ctx, err, "delete software_host_counts for non-existing teams")
	}
	return nil
}

func (ds *Datastore) CleanupSoftwareTitles(ctx context.Context) error {
	var n int64
	defer func(start time.Time) {
		level.Debug(ds.logger).Log(
			"msg", "cleanup orphaned software titles",
			"rows_affected", n,
			"took", time.Since(start),
		)
	}(time.Now())

	const deleteOrphanedSoftwareTitlesStmt = `
	DELETE st FROM software_titles st
	LEFT JOIN software s ON st.id = s.title_id
	LEFT JOIN software_installers si ON st.id = si.title_id
	LEFT JOIN in_house_apps iha ON st.id = iha.title_id
	LEFT JOIN vpp_apps vap ON st.id = vap.title_id
	WHERE s.title_id IS NULL AND si.title_id IS NULL AND iha.title_id IS NULL AND vap.title_id IS NULL`

	res, err := ds.writer(ctx).ExecContext(ctx, deleteOrphanedSoftwareTitlesStmt)
	if err != nil {
		return ctxerr.Wrap(ctx, err, "executing delete of software titles")
	}
	ra, _ := res.RowsAffected()
	n += ra

	return nil
}

func (ds *Datastore) HostVulnSummariesBySoftwareIDs(ctx context.Context, softwareIDs []uint) ([]fleet.HostVulnerabilitySummary, error) {
	stmt := `
		SELECT DISTINCT
			h.id,
			h.hostname,
			if(h.computer_name = '', h.hostname, h.computer_name) display_name,
			COALESCE(hsip.installed_path, '') AS software_installed_path
		FROM hosts h
				INNER JOIN host_software hs ON h.id = hs.host_id AND hs.software_id IN (?)
				LEFT JOIN host_software_installed_paths hsip ON hs.host_id = hsip.host_id AND hs.software_id = hsip.software_id
		ORDER BY h.id`

	stmt, args, err := sqlx.In(stmt, softwareIDs)
	if err != nil {
		return nil, ctxerr.Wrap(ctx, err, "building query args")
	}

	var qR []struct {
		HostID      uint   `db:"id"`
		HostName    string `db:"hostname"`
		DisplayName string `db:"display_name"`
		SPath       string `db:"software_installed_path"`
	}
	if err := sqlx.SelectContext(ctx, ds.reader(ctx), &qR, stmt, args...); err != nil {
		return nil, ctxerr.Wrap(ctx, err, "selecting hosts by softwareIDs")
	}

	var result []fleet.HostVulnerabilitySummary
	lookup := make(map[uint]int)

	for _, r := range qR {
		i, ok := lookup[r.HostID]

		if ok {
			result[i].AddSoftwareInstalledPath(r.SPath)
			continue
		}

		mapped := fleet.HostVulnerabilitySummary{
			ID:          r.HostID,
			Hostname:    r.HostName,
			DisplayName: r.DisplayName,
		}
		mapped.AddSoftwareInstalledPath(r.SPath)
		result = append(result, mapped)

		lookup[r.HostID] = len(result) - 1
	}

	return result, nil
}

// Deprecated: ** DEPRECATED **
func (ds *Datastore) HostsByCVE(ctx context.Context, cve string) ([]fleet.HostVulnerabilitySummary, error) {
	stmt := `
		SELECT DISTINCT
				(h.id),
				h.hostname,
				if(h.computer_name = '', h.hostname, h.computer_name) display_name,
				COALESCE(hsip.installed_path, '') AS software_installed_path
		FROM hosts h
			INNER JOIN host_software hs ON h.id = hs.host_id
			INNER JOIN software_cve scv ON scv.software_id = hs.software_id
			LEFT JOIN host_software_installed_paths hsip ON hs.host_id = hsip.host_id AND hs.software_id = hsip.software_id
		WHERE scv.cve = ?
		ORDER BY h.id`

	var qR []struct {
		HostID      uint   `db:"id"`
		HostName    string `db:"hostname"`
		DisplayName string `db:"display_name"`
		SPath       string `db:"software_installed_path"`
	}
	if err := sqlx.SelectContext(ctx, ds.reader(ctx), &qR, stmt, cve); err != nil {
		return nil, ctxerr.Wrap(ctx, err, "selecting hosts by softwareIDs")
	}

	var result []fleet.HostVulnerabilitySummary
	lookup := make(map[uint]int)

	for _, r := range qR {
		i, ok := lookup[r.HostID]

		if ok {
			result[i].AddSoftwareInstalledPath(r.SPath)
			continue
		}

		mapped := fleet.HostVulnerabilitySummary{
			ID:          r.HostID,
			Hostname:    r.HostName,
			DisplayName: r.DisplayName,
		}
		mapped.AddSoftwareInstalledPath(r.SPath)
		result = append(result, mapped)

		lookup[r.HostID] = len(result) - 1
	}

	return result, nil
}

func (ds *Datastore) InsertCVEMeta(ctx context.Context, cveMeta []fleet.CVEMeta) error {
	query := `
INSERT INTO cve_meta (cve, cvss_score, epss_probability, cisa_known_exploit, published, description)
VALUES %s
ON DUPLICATE KEY UPDATE
    cvss_score = VALUES(cvss_score),
    epss_probability = VALUES(epss_probability),
    cisa_known_exploit = VALUES(cisa_known_exploit),
    published = VALUES(published),
    description = VALUES(description)
`

	batchSize := 500
	for i := 0; i < len(cveMeta); i += batchSize {
		end := i + batchSize
		if end > len(cveMeta) {
			end = len(cveMeta)
		}

		batch := cveMeta[i:end]

		valuesFrag := strings.TrimSuffix(strings.Repeat("(?, ?, ?, ?, ?, ?), ", len(batch)), ", ")
		var args []interface{}
		for _, meta := range batch {
			args = append(args, meta.CVE, meta.CVSSScore, meta.EPSSProbability, meta.CISAKnownExploit, meta.Published, meta.Description)
		}

		query := fmt.Sprintf(query, valuesFrag)

		_, err := ds.writer(ctx).ExecContext(ctx, query, args...)
		if err != nil {
			return ctxerr.Wrap(ctx, err, "insert cve scores")
		}
	}

	return nil
}

func (ds *Datastore) InsertSoftwareVulnerability(
	ctx context.Context,
	vuln fleet.SoftwareVulnerability,
	source fleet.VulnerabilitySource,
) (bool, error) {
	if vuln.CVE == "" {
		return false, nil
	}

	var args []interface{}

	stmt := `
		INSERT INTO software_cve (cve, source, software_id, resolved_in_version)
		VALUES (?,?,?,?)
		ON DUPLICATE KEY UPDATE
			source = VALUES(source),
			resolved_in_version = VALUES(resolved_in_version),
			updated_at=?
	`
	args = append(args, vuln.CVE, source, vuln.SoftwareID, vuln.ResolvedInVersion, time.Now().UTC())

	res, err := ds.writer(ctx).ExecContext(ctx, stmt, args...)
	if err != nil {
		return false, ctxerr.Wrap(ctx, err, "insert software vulnerability")
	}

	return insertOnDuplicateDidInsertOrUpdate(res), nil
}

func (ds *Datastore) ListSoftwareVulnerabilitiesByHostIDsSource(
	ctx context.Context,
	hostIDs []uint,
	source fleet.VulnerabilitySource,
) (map[uint][]fleet.SoftwareVulnerability, error) {
	result := make(map[uint][]fleet.SoftwareVulnerability)

	type softwareVulnerabilityWithHostId struct {
		fleet.SoftwareVulnerability
		HostID uint `db:"host_id"`
	}
	var queryR []softwareVulnerabilityWithHostId

	stmt := dialect.
		From(goqu.T("software_cve").As("sc")).
		Join(
			goqu.T("host_software").As("hs"),
			goqu.On(goqu.Ex{
				"sc.software_id": goqu.I("hs.software_id"),
			}),
		).
		Select(
			goqu.I("hs.host_id"),
			goqu.I("sc.software_id"),
			goqu.I("sc.cve"),
			goqu.I("sc.resolved_in_version"),
		).
		Where(
			goqu.I("hs.host_id").In(hostIDs),
			goqu.I("sc.source").Eq(source),
		)

	sql, args, err := stmt.ToSQL()
	if err != nil {
		return nil, ctxerr.Wrap(ctx, err, "error generating SQL statement")
	}

	if err := sqlx.SelectContext(ctx, ds.reader(ctx), &queryR, sql, args...); err != nil {
		return nil, ctxerr.Wrap(ctx, err, "error executing SQL statement")
	}

	for _, r := range queryR {
		result[r.HostID] = append(result[r.HostID], r.SoftwareVulnerability)
	}

	return result, nil
}

func (ds *Datastore) ListSoftwareForVulnDetection(
	ctx context.Context,
	filters fleet.VulnSoftwareFilter,
) ([]fleet.Software, error) {
	var result []fleet.Software
	var sqlstmt string
	var args []interface{}

	baseSQL := `
		SELECT
			s.id,
			s.name,
			s.version,
			s.release,
			s.arch,
			COALESCE(cpe.cpe, '') AS generated_cpe
		FROM
			software s
		LEFT JOIN
			software_cpe cpe ON s.id = cpe.software_id
	`

	if filters.HostID != nil {
		baseSQL += "JOIN host_software hs ON s.id = hs.software_id "
	}

	conditions := []string{}

	if filters.HostID != nil {
		conditions = append(conditions, "hs.host_id = ?")
		args = append(args, *filters.HostID)
	}

	if filters.Name != "" {
		conditions = append(conditions, "s.name LIKE ?")
		args = append(args, "%"+filters.Name+"%")
	}

	if filters.Source != "" {
		conditions = append(conditions, "s.source = ?")
		args = append(args, filters.Source)
	}

	if len(conditions) > 0 {
		sqlstmt = baseSQL + "WHERE " + strings.Join(conditions, " AND ")
	} else {
		sqlstmt = baseSQL
	}

	if err := sqlx.SelectContext(ctx, ds.reader(ctx), &result, sqlstmt, args...); err != nil {
		return nil, ctxerr.Wrap(ctx, err, "error executing SQL statement")
	}

	return result, nil
}

// ListCVEs returns all cve_meta rows published after 'maxAge'
func (ds *Datastore) ListCVEs(ctx context.Context, maxAge time.Duration) ([]fleet.CVEMeta, error) {
	var result []fleet.CVEMeta

	maxAgeDate := time.Now().Add(-1 * maxAge)
	stmt := dialect.From(goqu.T("cve_meta")).
		Select(
			goqu.C("cve"),
			goqu.C("cvss_score"),
			goqu.C("epss_probability"),
			goqu.C("cisa_known_exploit"),
			goqu.C("published"),
			goqu.C("description"),
		).
		Where(goqu.C("published").Gte(maxAgeDate))

	sql, args, err := stmt.ToSQL()
	if err != nil {
		return nil, ctxerr.Wrap(ctx, err, "error generating SQL statement")
	}

	if err := sqlx.SelectContext(ctx, ds.reader(ctx), &result, sql, args...); err != nil {
		return nil, ctxerr.Wrap(ctx, err, "error executing SQL statement")
	}

	return result, nil
}

type hostSoftware struct {
	fleet.HostSoftwareWithInstaller

	LastInstallInstalledAt         *time.Time `db:"last_install_installed_at"`
	LastInstallInstallUUID         *string    `db:"last_install_install_uuid"`
	LastUninstallUninstalledAt     *time.Time `db:"last_uninstall_uninstalled_at"`
	LastUninstallScriptExecutionID *string    `db:"last_uninstall_script_execution_id"`

	ExitCode              *int       `db:"exit_code"`
	LastOpenedAt          *time.Time `db:"last_opened_at"`
	BundleIdentifier      *string    `db:"bundle_identifier"`
	Version               *string    `db:"version"`
	SoftwareID            *uint      `db:"software_id"`
	SoftwareSource        *string    `db:"software_source"`
	SoftwareExtensionFor  *string    `db:"software_extension_for"`
	InstallerID           *uint      `db:"installer_id"`
	PackageSelfService    *bool      `db:"package_self_service"`
	PackageName           *string    `db:"package_name"`
	PackagePlatform       *string    `db:"package_platform"`
	PackageVersion        *string    `db:"package_version"`
	VPPAppSelfService     *bool      `db:"vpp_app_self_service"`
	VPPAppAdamID          *string    `db:"vpp_app_adam_id"`
	VPPAppVersion         *string    `db:"vpp_app_version"`
	VPPAppPlatform        *string    `db:"vpp_app_platform"`
	VPPAppIconURL         *string    `db:"vpp_app_icon_url"`
	InHouseAppID          *uint      `db:"in_house_app_id"`
	InHouseAppName        *string    `db:"in_house_app_name"`
	InHouseAppPlatform    *string    `db:"in_house_app_platform"`
	InHouseAppVersion     *string    `db:"in_house_app_version"`
	InHouseAppSelfService *bool      `db:"in_house_app_self_service"`

	VulnerabilitiesList       *string `db:"vulnerabilities_list"`
	SoftwareIDList            *string `db:"software_id_list"`
	SoftwareSourceList        *string `db:"software_source_list"`
	SoftwareExtensionForList  *string `db:"software_extension_for_list"`
	VersionList               *string `db:"version_list"`
	BundleIdentifierList      *string `db:"bundle_identifier_list"`
	VPPAppSelfServiceList     *string `db:"vpp_app_self_service_list"`
	VPPAppAdamIDList          *string `db:"vpp_app_adam_id_list"`
	VPPAppVersionList         *string `db:"vpp_app_version_list"`
	VPPAppPlatformList        *string `db:"vpp_app_platform_list"`
	VPPAppIconUrlList         *string `db:"vpp_app_icon_url_list"`
	InHouseAppIDList          *string `db:"in_house_app_id_list"`
	InHouseAppNameList        *string `db:"in_house_app_name_list"`
	InHouseAppPlatformList    *string `db:"in_house_app_platform_list"`
	InHouseAppVersionList     *string `db:"in_house_app_version_list"`
	InHouseAppSelfServiceList *string `db:"in_house_app_self_service_list"`
	SoftwareUpgradeCodeList   *string `db:"software_upgrade_code_list"`
}

func hostInstalledSoftware(ds *Datastore, ctx context.Context, hostID uint) ([]*hostSoftware, error) {
	installedSoftwareStmt := `
		SELECT
			software_titles.id AS id,
			host_software.software_id AS software_id,
			host_software.last_opened_at,
			software.source AS software_source,
			software.extension_for AS software_extension_for,
			software.version AS version,
			software.bundle_identifier AS bundle_identifier,
			software_titles.upgrade_code AS upgrade_code
		FROM
			host_software
		INNER JOIN
			software ON host_software.software_id = software.id
		INNER JOIN
			software_titles ON software.title_id = software_titles.id
		WHERE
			host_software.host_id = ?
	`

	var hostInstalledSoftware []*hostSoftware
	err := sqlx.SelectContext(ctx, ds.reader(ctx), &hostInstalledSoftware, installedSoftwareStmt, hostID)
	if err != nil {
		return nil, err
	}

	return hostInstalledSoftware, nil
}

func hostSoftwareInstalls(ds *Datastore, ctx context.Context, hostID uint) ([]*hostSoftware, error) {
	softwareInstallsStmt := `
        WITH upcoming_software_install AS (
            SELECT
                ua.execution_id AS last_install_install_uuid,
                ua.created_at AS last_install_installed_at,
                siua.software_installer_id AS installer_id,
                'pending_install' AS status
            FROM
                upcoming_activities ua
            INNER JOIN
                software_install_upcoming_activities siua ON ua.id = siua.upcoming_activity_id
            LEFT JOIN (
                upcoming_activities ua2
                INNER JOIN software_install_upcoming_activities siua2 ON ua2.id = siua2.upcoming_activity_id
            ) ON ua.host_id = ua2.host_id AND
                siua.software_installer_id = siua2.software_installer_id AND
                ua.activity_type = ua2.activity_type AND
                (ua2.priority < ua.priority OR ua2.created_at > ua.created_at)
            WHERE
                ua.host_id = ? AND
                ua.activity_type = 'software_install' AND
                ua2.id IS NULL
        ),
        last_software_install AS (
            SELECT
                hsi.execution_id AS last_install_install_uuid,
                hsi.updated_at AS last_install_installed_at,
                hsi.software_installer_id AS installer_id,
                hsi.status AS status
            FROM
                host_software_installs hsi
            LEFT JOIN
                host_software_installs hsi2 ON hsi.host_id = hsi2.host_id AND
                    hsi.software_installer_id = hsi2.software_installer_id AND
                    hsi.uninstall = hsi2.uninstall AND
                    hsi2.removed = 0 AND
					hsi2.canceled = 0 AND
                    hsi2.host_deleted_at IS NULL AND
                    (hsi.created_at < hsi2.created_at OR (hsi.created_at = hsi2.created_at AND hsi.id < hsi2.id))
            WHERE
                hsi.host_id = ? AND
                hsi.removed = 0 AND
				hsi.canceled = 0 AND
                hsi.uninstall = 0 AND
                hsi.host_deleted_at IS NULL AND
                hsi2.id IS NULL AND
                NOT EXISTS (
                    SELECT 1
                    FROM
                        upcoming_activities ua
                    INNER JOIN
                        software_install_upcoming_activities siua ON ua.id = siua.upcoming_activity_id
                    WHERE
                        ua.host_id = hsi.host_id AND
                        siua.software_installer_id = hsi.software_installer_id AND
                        ua.activity_type = 'software_install'
                )
        )
        SELECT
			software_installers.id AS installer_id,
			software_installers.self_service AS package_self_service,
			software_titles.id AS id,
			lsia.*
		FROM
			(SELECT * FROM upcoming_software_install UNION SELECT * FROM last_software_install) AS lsia
		INNER JOIN
			software_installers ON lsia.installer_id = software_installers.id
		INNER JOIN
			software_titles ON software_installers.title_id = software_titles.id
    `
	var softwareInstalls []*hostSoftware
	err := sqlx.SelectContext(ctx, ds.reader(ctx), &softwareInstalls, softwareInstallsStmt, hostID, hostID)
	if err != nil {
		return nil, err
	}

	return softwareInstalls, nil
}

func hostSoftwareUninstalls(ds *Datastore, ctx context.Context, hostID uint) ([]*hostSoftware, error) {
	softwareUninstallsStmt := `
        WITH upcoming_software_uninstall AS (
            SELECT
                ua.execution_id AS last_uninstall_script_execution_id,
                ua.created_at AS last_uninstall_uninstalled_at,
                siua.software_installer_id AS installer_id,
                'pending_uninstall' AS status
            FROM
                upcoming_activities ua
            INNER JOIN
                software_install_upcoming_activities siua ON ua.id = siua.upcoming_activity_id
            LEFT JOIN (
                upcoming_activities ua2
                INNER JOIN software_install_upcoming_activities siua2 ON ua2.id = siua2.upcoming_activity_id
            ) ON ua.host_id = ua2.host_id AND
                siua.software_installer_id = siua2.software_installer_id AND
                ua.activity_type = ua2.activity_type AND
                (ua2.priority < ua.priority OR ua2.created_at > ua.created_at)
            WHERE
                ua.host_id = ? AND
                ua.activity_type = 'software_uninstall' AND
                ua2.id IS NULL
        ),
        last_software_uninstall AS (
            SELECT
                hsi.execution_id AS last_uninstall_script_execution_id,
                hsi.updated_at AS last_uninstall_uninstalled_at,
                hsi.software_installer_id AS installer_id,
                hsi.status AS status
            FROM
                host_software_installs hsi
            LEFT JOIN
                host_software_installs hsi2 ON hsi.host_id = hsi2.host_id AND
                    hsi.software_installer_id = hsi2.software_installer_id AND
                    hsi.uninstall = hsi2.uninstall AND
                    hsi2.removed = 0 AND
					hsi2.canceled = 0 AND
                    hsi2.host_deleted_at IS NULL AND
                    (hsi.created_at < hsi2.created_at OR (hsi.created_at = hsi2.created_at AND hsi.id < hsi2.id))
            WHERE
                hsi.host_id = ? AND
                hsi.removed = 0 AND
                hsi.uninstall = 1 AND
				hsi.canceled = 0 AND
                hsi.host_deleted_at IS NULL AND
                hsi2.id IS NULL AND
                NOT EXISTS (
                    SELECT 1
                    FROM
                        upcoming_activities ua
                    INNER JOIN
                        software_install_upcoming_activities siua ON ua.id = siua.upcoming_activity_id
                    WHERE
                        ua.host_id = hsi.host_id AND
                        siua.software_installer_id = hsi.software_installer_id AND
                        ua.activity_type = 'software_uninstall'
                )
        )
        SELECT
			software_installers.id AS installer_id,
			software_titles.id AS id,
			host_script_results.exit_code AS exit_code,
			lsua.*
		FROM
            (SELECT * FROM upcoming_software_uninstall UNION SELECT * FROM last_software_uninstall) AS lsua
		INNER JOIN
			software_installers ON lsua.installer_id = software_installers.id
		INNER JOIN
			software_titles ON software_installers.title_id = software_titles.id
		LEFT OUTER JOIN
			host_script_results ON host_script_results.host_id = ? AND host_script_results.execution_id = lsua.last_uninstall_script_execution_id
    `
	var softwareUninstalls []*hostSoftware
	err := sqlx.SelectContext(ctx, ds.reader(ctx), &softwareUninstalls, softwareUninstallsStmt, hostID, hostID, hostID)
	if err != nil {
		return nil, err
	}

	return softwareUninstalls, nil
}

func filterSoftwareInstallersByLabel(
	ds *Datastore,
	ctx context.Context,
	host *fleet.Host,
	bySoftwareTitleID map[uint]*hostSoftware,
) (map[uint]*hostSoftware, error) {
	if len(bySoftwareTitleID) == 0 {
		return bySoftwareTitleID, nil
	}

	filteredbySoftwareTitleID := make(map[uint]*hostSoftware, len(bySoftwareTitleID))
	softwareInstallersIDsToCheck := make([]uint, 0, len(bySoftwareTitleID))

	for _, st := range bySoftwareTitleID {
		if st.InstallerID != nil {
			softwareInstallersIDsToCheck = append(softwareInstallersIDsToCheck, *st.InstallerID)
		}
	}

	if len(softwareInstallersIDsToCheck) > 0 {
		labelSqlFilter := `
			WITH no_labels AS (
				SELECT
					software_installers.id AS installer_id,
					0 AS count_installer_labels,
					0 AS count_host_labels,
					0 AS count_host_updated_after_labels
				FROM
					software_installers
				WHERE NOT EXISTS (
					SELECT 1
					FROM software_installer_labels
					WHERE software_installer_labels.software_installer_id = software_installers.id
				)
			),
			include_any AS (
				SELECT
					software_installers.id AS installer_id,
					COUNT(*) AS count_installer_labels,
					COUNT(label_membership.label_id) AS count_host_labels,
					0 AS count_host_updated_after_labels
				FROM
					software_installers
				INNER JOIN software_installer_labels
					ON software_installer_labels.software_installer_id = software_installers.id AND software_installer_labels.exclude = 0
				LEFT JOIN label_membership
					ON label_membership.label_id = software_installer_labels.label_id
					AND label_membership.host_id = :host_id
				GROUP BY
					software_installers.id
				HAVING
					COUNT(*) > 0 AND COUNT(label_membership.label_id) > 0
			),
			exclude_any AS (
				SELECT
					software_installers.id AS installer_id,
					COUNT(software_installer_labels.label_id) AS count_installer_labels,
					COUNT(label_membership.label_id) AS count_host_labels,
					SUM(
						CASE
							WHEN labels.created_at IS NOT NULL AND (
								labels.label_membership_type = 1 OR
								(labels.label_membership_type = 0 AND :host_label_updated_at >= labels.created_at)
							) THEN 1
							ELSE 0
						END
					) AS count_host_updated_after_labels
				FROM
					software_installers
				INNER JOIN software_installer_labels
					ON software_installer_labels.software_installer_id = software_installers.id AND software_installer_labels.exclude = 1
				INNER JOIN labels
					ON labels.id = software_installer_labels.label_id
				LEFT JOIN label_membership
					ON label_membership.label_id = software_installer_labels.label_id
					AND label_membership.host_id = :host_id
				GROUP BY
					software_installers.id
				HAVING
					COUNT(*) > 0
					AND COUNT(*) = SUM(
						CASE
							WHEN labels.created_at IS NOT NULL AND (
								labels.label_membership_type = 1 OR
								(labels.label_membership_type = 0 AND :host_label_updated_at >= labels.created_at)
							) THEN 1
							ELSE 0
						END
					)
					AND COUNT(label_membership.label_id) = 0
			)
			SELECT
				software_installers.id AS id,
				software_installers.title_id AS title_id
			FROM
				software_installers
			LEFT JOIN no_labels
				ON no_labels.installer_id = software_installers.id
			LEFT JOIN include_any
				ON include_any.installer_id = software_installers.id
			LEFT JOIN exclude_any
				ON exclude_any.installer_id = software_installers.id
			WHERE
				software_installers.id IN (:software_installer_ids)
				AND (
					no_labels.installer_id IS NOT NULL
					OR include_any.installer_id IS NOT NULL
					OR exclude_any.installer_id IS NOT NULL
				)
		`
		labelSqlFilter, args, err := sqlx.Named(labelSqlFilter, map[string]any{
			"host_id":                host.ID,
			"host_label_updated_at":  host.LabelUpdatedAt,
			"software_installer_ids": softwareInstallersIDsToCheck,
		})
		if err != nil {
			return nil, ctxerr.Wrap(ctx, err, "filterSoftwareInstallersByLabel building named query args")
		}

		labelSqlFilter, args, err = sqlx.In(labelSqlFilter, args...)
		if err != nil {
			return nil, ctxerr.Wrap(ctx, err, "filterSoftwareInstallersByLabel building in query args")
		}

		labelSqlFilter = ds.reader(ctx).Rebind(labelSqlFilter)

		var validSoftwareInstallers []struct {
			Id      uint `db:"id"`
			TitleId uint `db:"title_id"`
		}
		err = sqlx.SelectContext(ctx, ds.reader(ctx), &validSoftwareInstallers, labelSqlFilter, args...)
		if err != nil {
			return nil, ctxerr.Wrap(ctx, err, "filterSoftwareInstallersByLabel executing query")
		}

		// go through the returned list of validSoftwareInstaller and add all the titles that meet the label criteria to be returned
		for _, validSoftwareInstaller := range validSoftwareInstallers {
			filteredbySoftwareTitleID[validSoftwareInstaller.TitleId] = bySoftwareTitleID[validSoftwareInstaller.TitleId]
		}
	}

	return filteredbySoftwareTitleID, nil
}

func filterVPPAppsByLabel(
	ds *Datastore,
	ctx context.Context,
	host *fleet.Host,
	byVppAppID map[string]*hostSoftware,
	hostVPPInstalledTitles map[uint]*hostSoftware,
) (map[string]*hostSoftware, map[string]*hostSoftware, error) {
	filteredbyVppAppID := make(map[string]*hostSoftware, len(byVppAppID))
	otherVppAppsInInventory := make(map[string]*hostSoftware, len(hostVPPInstalledTitles))
	// This is the list of VPP apps that are installed on the host by fleet or the user
	// that we want to check are in scope or not
	vppAppIDsToCheck := make([]string, 0, len(byVppAppID))

	for _, st := range byVppAppID {
		vppAppIDsToCheck = append(vppAppIDsToCheck, *st.VPPAppAdamID)
	}
	for _, st := range hostVPPInstalledTitles {
		if st.VPPAppAdamID != nil {
			vppAppIDsToCheck = append(vppAppIDsToCheck, *st.VPPAppAdamID)
		}
	}

	if len(vppAppIDsToCheck) > 0 {
		var globalOrTeamID uint
		if host.TeamID != nil {
			globalOrTeamID = *host.TeamID
		}

		labelSqlFilter := `
			WITH no_labels AS (
				SELECT
					vpp_apps_teams.id AS team_id,
					0 AS count_installer_labels,
					0 AS count_host_labels,
					0 as count_host_updated_after_labels
				FROM
					vpp_apps_teams
				WHERE NOT EXISTS (
					SELECT 1
					FROM vpp_app_team_labels
					WHERE vpp_app_team_labels.vpp_app_team_id = vpp_apps_teams.id
				)
			),
			include_any AS (
				SELECT
					vpp_apps_teams.id AS team_id,
					COUNT(vpp_app_team_labels.label_id) AS count_installer_labels,
					COUNT(label_membership.label_id) AS count_host_labels,
					0 as count_host_updated_after_labels
				FROM
					vpp_apps_teams
				INNER JOIN vpp_app_team_labels
					ON vpp_app_team_labels.vpp_app_team_id = vpp_apps_teams.id AND vpp_app_team_labels.exclude = 0
				LEFT JOIN label_membership
					ON label_membership.label_id = vpp_app_team_labels.label_id
					AND label_membership.host_id = :host_id
				GROUP BY
					vpp_apps_teams.id
				HAVING
					count_installer_labels > 0 AND count_host_labels > 0
			),
			exclude_any AS (
				SELECT
					vpp_apps_teams.id AS team_id,
					COUNT(vpp_app_team_labels.label_id) AS count_installer_labels,
					COUNT(label_membership.label_id) AS count_host_labels,
					SUM(
						CASE
							WHEN labels.created_at IS NOT NULL AND labels.label_membership_type = 0 AND :host_label_updated_at >= labels.created_at THEN 1
							WHEN labels.created_at IS NOT NULL AND labels.label_membership_type = 1 THEN 1
							ELSE 0
						END
					) AS count_host_updated_after_labels
				FROM
					vpp_apps_teams
				INNER JOIN vpp_app_team_labels
					ON vpp_app_team_labels.vpp_app_team_id = vpp_apps_teams.id AND vpp_app_team_labels.exclude = 1
				INNER JOIN labels
					ON labels.id = vpp_app_team_labels.label_id
				LEFT OUTER JOIN label_membership
					ON label_membership.label_id = vpp_app_team_labels.label_id AND label_membership.host_id = :host_id
				GROUP BY
					vpp_apps_teams.id
				HAVING
					count_installer_labels > 0
					AND count_installer_labels = count_host_updated_after_labels
					AND count_host_labels = 0
			)
			SELECT
				vpp_apps.adam_id AS adam_id,
				vpp_apps.title_id AS title_id
			FROM
				vpp_apps
			INNER JOIN
				vpp_apps_teams ON vpp_apps.adam_id = vpp_apps_teams.adam_id AND vpp_apps.platform = vpp_apps_teams.platform AND vpp_apps_teams.global_or_team_id = :global_or_team_id
			LEFT JOIN no_labels
				ON no_labels.team_id = vpp_apps_teams.id
			LEFT JOIN include_any
				ON include_any.team_id = vpp_apps_teams.id
			LEFT JOIN exclude_any
				ON exclude_any.team_id = vpp_apps_teams.id
			WHERE
				vpp_apps.adam_id IN (:vpp_app_adam_ids)
				AND (
					no_labels.team_id IS NOT NULL
					OR include_any.team_id IS NOT NULL
					OR exclude_any.team_id IS NOT NULL
				)
		`

		labelSqlFilter, args, err := sqlx.Named(labelSqlFilter, map[string]any{
			"host_id":               host.ID,
			"host_label_updated_at": host.LabelUpdatedAt,
			"vpp_app_adam_ids":      vppAppIDsToCheck,
			"global_or_team_id":     globalOrTeamID,
		})
		if err != nil {
			return nil, nil, ctxerr.Wrap(ctx, err, "filterVppAppsByLabel building named query args")
		}

		labelSqlFilter, args, err = sqlx.In(labelSqlFilter, args...)
		if err != nil {
			return nil, nil, ctxerr.Wrap(ctx, err, "filterVppAppsByLabel building in query args")
		}

		var validVppApps []struct {
			AdamId  string `db:"adam_id"`
			TitleId uint   `db:"title_id"`
		}
		err = sqlx.SelectContext(ctx, ds.reader(ctx), &validVppApps, labelSqlFilter, args...)
		if err != nil {
			return nil, nil, ctxerr.Wrap(ctx, err, "filterVppAppsByLabel executing query")
		}

		// differentiate between VPP apps that were installed by Fleet (show install details +
		// ability to reinstall in self-service) vs. VPP apps that Fleet knows about but either
		// weren't installed by Fleet or were installed by Fleet but are no longer in scope
		// (treat as in inventory and not re-installable in self-service)
		for _, validAppApp := range validVppApps {
			if _, ok := byVppAppID[validAppApp.AdamId]; ok {
				filteredbyVppAppID[validAppApp.AdamId] = byVppAppID[validAppApp.AdamId]
			} else if svpp, ok := hostVPPInstalledTitles[validAppApp.TitleId]; ok {
				otherVppAppsInInventory[validAppApp.AdamId] = svpp
			}
		}
	}

	return filteredbyVppAppID, otherVppAppsInInventory, nil
}

func filterInHouseAppsByLabel(
	ds *Datastore,
	ctx context.Context,
	host *fleet.Host,
	byInHouseID map[uint]*hostSoftware,
	hostInHouseInstalledTitles map[uint]*hostSoftware,
) (map[uint]*hostSoftware, map[uint]*hostSoftware, error) {
	filteredByInHouseID := make(map[uint]*hostSoftware, len(byInHouseID))
	otherInHouseAppsInInventory := make(map[uint]*hostSoftware, len(hostInHouseInstalledTitles))

	// This is the list of in-house apps that are installed on the host by fleet or the user
	// that we want to check are in scope or not
	inHouseIDsToCheck := make([]uint, 0, len(byInHouseID))

	for _, st := range byInHouseID {
		inHouseIDsToCheck = append(inHouseIDsToCheck, *st.InHouseAppID)
	}
	for _, st := range hostInHouseInstalledTitles {
		if st.InHouseAppID != nil {
			inHouseIDsToCheck = append(inHouseIDsToCheck, *st.InHouseAppID)
		}
	}

	if len(inHouseIDsToCheck) == 0 {
		return filteredByInHouseID, otherInHouseAppsInInventory, nil
	}

	var globalOrTeamID uint
	if host.TeamID != nil {
		globalOrTeamID = *host.TeamID
	}

	labelSQLFilter := `
			WITH no_labels AS (
				SELECT
					iha.id AS in_house_app_id,
					0 AS count_installer_labels,
					0 AS count_host_labels,
					0 as count_host_updated_after_labels
				FROM
					in_house_apps iha
				WHERE NOT EXISTS (
					SELECT 1
					FROM in_house_app_labels ihl
					WHERE ihl.in_house_app_id = iha.id
				)
			),
			include_any AS (
				SELECT
					iha.id AS in_house_app_id,
					COUNT(ihl.label_id) AS count_installer_labels,
					COUNT(lm.label_id) AS count_host_labels,
					0 as count_host_updated_after_labels
				FROM
					in_house_apps iha
				INNER JOIN in_house_app_labels ihl ON
					ihl.in_house_app_id = iha.id AND ihl.exclude = 0
				LEFT JOIN label_membership lm ON
					lm.label_id = ihl.label_id AND lm.host_id = :host_id
				GROUP BY
					iha.id
				HAVING
					count_installer_labels > 0 AND count_host_labels > 0
			),
			exclude_any AS (
				SELECT
					iha.id AS in_house_app_id,
					COUNT(ihl.label_id) AS count_installer_labels,
					COUNT(lm.label_id) AS count_host_labels,
					SUM(
						CASE
							WHEN lbl.created_at IS NOT NULL AND lbl.label_membership_type = 0 AND :host_label_updated_at >= lbl.created_at THEN 1
							WHEN lbl.created_at IS NOT NULL AND lbl.label_membership_type = 1 THEN 1
							ELSE 0
						END
					) AS count_host_updated_after_labels
				FROM
					in_house_apps iha
				INNER JOIN in_house_app_labels ihl ON
					ihl.in_house_app_id = iha.id AND ihl.exclude = 1
				INNER JOIN labels lbl ON
					lbl.id = ihl.label_id
				LEFT OUTER JOIN label_membership lm ON
					lm.label_id = ihl.label_id AND lm.host_id = :host_id
				GROUP BY
					iha.id
				HAVING
					count_installer_labels > 0 AND
					count_installer_labels = count_host_updated_after_labels AND
					count_host_labels = 0
			)
			SELECT
				iha.id AS in_house_id,
				iha.title_id AS title_id
			FROM
				in_house_apps iha
			LEFT JOIN no_labels
				ON no_labels.in_house_app_id = iha.id
			LEFT JOIN include_any
				ON include_any.in_house_app_id = iha.id
			LEFT JOIN exclude_any
				ON exclude_any.in_house_app_id = iha.id
			WHERE
				iha.global_or_team_id = :global_or_team_id AND
				iha.id IN (:in_house_ids) AND (
					no_labels.in_house_app_id IS NOT NULL OR
					include_any.in_house_app_id IS NOT NULL OR
					exclude_any.in_house_app_id IS NOT NULL
				)
		`

	labelSQLFilter, args, err := sqlx.Named(labelSQLFilter, map[string]any{
		"host_id":               host.ID,
		"host_label_updated_at": host.LabelUpdatedAt,
		"in_house_ids":          inHouseIDsToCheck,
		"global_or_team_id":     globalOrTeamID,
	})
	if err != nil {
		return nil, nil, ctxerr.Wrap(ctx, err, "filterInHouseAppsByLabel building named query args")
	}

	labelSQLFilter, args, err = sqlx.In(labelSQLFilter, args...)
	if err != nil {
		return nil, nil, ctxerr.Wrap(ctx, err, "filterInHouseAppsByLabel building in query args")
	}

	var validInHouseApps []struct {
		InHouseID uint `db:"in_house_id"`
		TitleID   uint `db:"title_id"`
	}
	err = sqlx.SelectContext(ctx, ds.reader(ctx), &validInHouseApps, labelSQLFilter, args...)
	if err != nil {
		return nil, nil, ctxerr.Wrap(ctx, err, "filterInHouseAppsByLabel executing query")
	}

	// differentiate between in-house apps that were installed by Fleet (show install details +
	// ability to reinstall in self-service) vs. in-house apps that Fleet knows about but either
	// weren't installed by Fleet or were installed by Fleet but are no longer in scope
	// (treat as in inventory and not re-installable in self-service)
	for _, validApp := range validInHouseApps {
		if _, ok := byInHouseID[validApp.InHouseID]; ok {
			filteredByInHouseID[validApp.InHouseID] = byInHouseID[validApp.InHouseID]
		} else if installed, ok := hostInHouseInstalledTitles[validApp.TitleID]; ok {
			otherInHouseAppsInInventory[validApp.InHouseID] = installed
		}
	}

	return filteredByInHouseID, otherInHouseAppsInInventory, nil
}

func hostVPPInstalls(ds *Datastore, ctx context.Context, hostID uint, globalOrTeamID uint, selfServiceOnly bool, isMDMEnrolled bool) ([]*hostSoftware, error) {
	var selfServiceFilter string
	if selfServiceOnly {
		if isMDMEnrolled {
			selfServiceFilter = "(vat.self_service = 1) AND "
		} else {
			selfServiceFilter = "FALSE AND "
		}
	}
	vppInstallsStmt := fmt.Sprintf(`
	(   -- upcoming_vpp_install
			SELECT
					vpp_apps.title_id AS id,
					ua.execution_id AS last_install_install_uuid,
					ua.created_at AS last_install_installed_at,
					vaua.adam_id AS vpp_app_adam_id,
					vat.self_service AS vpp_app_self_service,
					'pending_install' AS status
			FROM
					upcoming_activities ua
			INNER JOIN
					vpp_app_upcoming_activities vaua ON ua.id = vaua.upcoming_activity_id
			LEFT JOIN (
					upcoming_activities ua2
					INNER JOIN vpp_app_upcoming_activities vaua2 ON ua2.id = vaua2.upcoming_activity_id
			) ON ua.host_id = ua2.host_id AND
					vaua.adam_id = vaua2.adam_id AND
					vaua.platform = vaua2.platform AND
					ua.activity_type = ua2.activity_type AND
					(ua2.priority < ua.priority OR ua2.created_at > ua.created_at)
			LEFT JOIN
				vpp_apps_teams vat ON vaua.adam_id = vat.adam_id AND vaua.platform = vat.platform AND vat.global_or_team_id = :global_or_team_id
			INNER JOIN
				vpp_apps ON vaua.adam_id = vpp_apps.adam_id AND vaua.platform = vpp_apps.platform
			WHERE
				-- selfServiceFilter
				%s
			 ua.host_id = :host_id AND
			 ua.activity_type = 'vpp_app_install' AND
			 ua2.id IS NULL
) UNION (
			-- last_vpp_install
			SELECT
				vpp_apps.title_id AS id,
				hvsi.command_uuid AS last_install_install_uuid,
				hvsi.created_at AS last_install_installed_at,
				hvsi.adam_id AS vpp_app_adam_id,
				vat.self_service AS vpp_app_self_service,
				-- vppAppHostStatusNamedQuery(hvsi, ncr, status)
				%s
			FROM
				host_vpp_software_installs hvsi
			LEFT JOIN
				nano_command_results ncr ON ncr.command_uuid = hvsi.command_uuid
			LEFT JOIN
				host_vpp_software_installs hvsi2 ON hvsi.host_id = hvsi2.host_id AND
				hvsi.adam_id = hvsi2.adam_id AND
				hvsi.platform = hvsi2.platform AND
				hvsi2.removed = 0 AND
				hvsi2.canceled = 0 AND
				(hvsi.created_at < hvsi2.created_at OR (hvsi.created_at = hvsi2.created_at AND hvsi.id < hvsi2.id))
			INNER JOIN
				vpp_apps_teams vat ON hvsi.adam_id = vat.adam_id AND hvsi.platform = vat.platform AND vat.global_or_team_id = :global_or_team_id
			INNER JOIN
				vpp_apps ON hvsi.adam_id = vpp_apps.adam_id AND hvsi.platform = vpp_apps.platform
			WHERE
				-- selfServiceFilter
				%s
				hvsi.host_id = :host_id AND
				hvsi.removed = 0 AND
				hvsi.canceled = 0 AND
				(hvsi.platform != 'android' OR ncr.id IS NULL) AND
				hvsi2.id IS NULL AND
				NOT EXISTS (
					SELECT 1
					FROM
						upcoming_activities ua
					INNER JOIN
						vpp_app_upcoming_activities vaua ON ua.id = vaua.upcoming_activity_id
					WHERE
						ua.host_id = hvsi.host_id AND
						vaua.adam_id = hvsi.adam_id AND
						vaua.platform = hvsi.platform AND
						ua.activity_type = 'vpp_app_install'
				)
)
`, selfServiceFilter, vppAppHostStatusNamedQuery("hvsi", "ncr", "status"), selfServiceFilter)
	vppInstallsStmt, args, err := sqlx.Named(vppInstallsStmt, map[string]any{
		"host_id":                   hostID,
		"global_or_team_id":         globalOrTeamID,
		"software_status_installed": fleet.SoftwareInstalled,
		"mdm_status_acknowledged":   fleet.MDMAppleStatusAcknowledged,
		"mdm_status_error":          fleet.MDMAppleStatusError,
		"mdm_status_format_error":   fleet.MDMAppleStatusCommandFormatError,
		"software_status_failed":    fleet.SoftwareInstallFailed,
		"software_status_pending":   fleet.SoftwareInstallPending,
	})
	if err != nil {
		return nil, ctxerr.Wrap(ctx, err, "build named query for host vpp installs")
	}
	var vppInstalls []*hostSoftware
	err = sqlx.SelectContext(ctx, ds.reader(ctx), &vppInstalls, vppInstallsStmt, args...)
	if err != nil {
		return nil, err
	}

	return vppInstalls, nil
}

func hostInHouseInstalls(ds *Datastore, ctx context.Context, hostID uint, globalOrTeamID uint, selfServiceOnly bool, isMDMEnrolled bool) ([]*hostSoftware, error) {
	var selfServiceFilter string
	if selfServiceOnly {
		if isMDMEnrolled {
			selfServiceFilter = "(iha.self_service = 1) AND "
		} else {
			selfServiceFilter = "FALSE AND "
		}
	}

	installsStmt := fmt.Sprintf(`
(   -- upcoming_in_house_install
	SELECT
		iha.title_id AS id,
		ua.execution_id AS last_install_install_uuid,
		ua.created_at AS last_install_installed_at,
		ihua.in_house_app_id AS in_house_app_id,
		iha.filename AS in_house_app_name,
		iha.platform AS in_house_app_platform,
		iha.version AS in_house_app_version,
		iha.self_service AS in_house_app_self_service,
		'pending_install' AS status
	FROM
		upcoming_activities ua
	INNER JOIN
		in_house_app_upcoming_activities ihua ON ua.id = ihua.upcoming_activity_id
	LEFT JOIN (
		upcoming_activities ua2
		INNER JOIN in_house_app_upcoming_activities ihua2 ON ua2.id = ihua2.upcoming_activity_id
	) ON ua.host_id = ua2.host_id AND
			ihua.in_house_app_id = ihua2.in_house_app_id AND
			ua.activity_type = ua2.activity_type AND
			(ua2.priority < ua.priority OR ua2.created_at > ua.created_at)
	INNER JOIN
		in_house_apps iha ON ihua.in_house_app_id = iha.id
	WHERE
		-- selfServiceFilter
		%s
		ua.host_id = :host_id AND
		ua.activity_type = 'in_house_app_install' AND
		iha.global_or_team_id = :global_or_team_id AND
		ua2.id IS NULL
) UNION (
	-- last_in_house_install
	SELECT
		iha.title_id AS id,
		hihsi.command_uuid AS last_install_install_uuid,
		hihsi.created_at AS last_install_installed_at,
		hihsi.in_house_app_id AS in_house_app_id,
		iha.filename AS in_house_app_name,
		iha.platform AS in_house_app_platform,
		iha.version AS in_house_app_version,
		iha.self_service AS in_house_app_self_service,
		-- inHouseAppHostStatusNamedQuery(hvsi, ncr, status)
		%s
	FROM
		host_in_house_software_installs hihsi
	LEFT JOIN
		nano_command_results ncr ON ncr.command_uuid = hihsi.command_uuid
	LEFT JOIN
		host_in_house_software_installs hihsi2 ON hihsi.host_id = hihsi2.host_id AND
			hihsi.in_house_app_id = hihsi2.in_house_app_id AND
			hihsi2.removed = 0 AND
			hihsi2.canceled = 0 AND
			(hihsi.created_at < hihsi2.created_at OR (hihsi.created_at = hihsi2.created_at AND hihsi.id < hihsi2.id))
	INNER JOIN
		in_house_apps iha ON hihsi.in_house_app_id = iha.id
	WHERE
		-- selfServiceFilter
		%s
		hihsi.host_id = :host_id AND
		hihsi.removed = 0 AND
		hihsi.canceled = 0 AND
		hihsi2.id IS NULL AND
		iha.global_or_team_id = :global_or_team_id AND
		NOT EXISTS (
			SELECT 1
			FROM
				upcoming_activities ua
			INNER JOIN
				in_house_app_upcoming_activities ihua ON ua.id = ihua.upcoming_activity_id
			WHERE
				ua.host_id = hihsi.host_id AND
				ihua.in_house_app_id = hihsi.in_house_app_id AND
				ua.activity_type = 'in_house_app_install'
		)
)
`, selfServiceFilter, inHouseAppHostStatusNamedQuery("hihsi", "ncr", "status"), selfServiceFilter)

	installsStmt, args, err := sqlx.Named(installsStmt, map[string]any{
		"host_id":                   hostID,
		"global_or_team_id":         globalOrTeamID,
		"software_status_installed": fleet.SoftwareInstalled,
		"mdm_status_acknowledged":   fleet.MDMAppleStatusAcknowledged,
		"mdm_status_error":          fleet.MDMAppleStatusError,
		"mdm_status_format_error":   fleet.MDMAppleStatusCommandFormatError,
		"software_status_failed":    fleet.SoftwareInstallFailed,
		"software_status_pending":   fleet.SoftwareInstallPending,
	})
	if err != nil {
		return nil, ctxerr.Wrap(ctx, err, "build named query for host in-house installs")
	}
	var installs []*hostSoftware
	err = sqlx.SelectContext(ctx, ds.reader(ctx), &installs, installsStmt, args...)
	if err != nil {
		return nil, err
	}

	return installs, nil
}

func pushVersion(softwareIDStr string, softwareTitleRecord *hostSoftware, hostInstalledSoftware hostSoftware) {
	seperator := ","
	if softwareTitleRecord.SoftwareIDList == nil {
		softwareTitleRecord.SoftwareIDList = ptr.String("")
		softwareTitleRecord.SoftwareSourceList = ptr.String("")
		softwareTitleRecord.SoftwareExtensionForList = ptr.String("")
		softwareTitleRecord.VersionList = ptr.String("")
		softwareTitleRecord.BundleIdentifierList = ptr.String("")
		seperator = ""
	}
	softwareIDList := strings.Split(*softwareTitleRecord.SoftwareIDList, ",")
	found := false
	for _, id := range softwareIDList {
		if id == softwareIDStr {
			found = true
			break
		}
	}
	if !found {
		*softwareTitleRecord.SoftwareIDList += seperator + softwareIDStr
		if hostInstalledSoftware.SoftwareSource != nil {
			*softwareTitleRecord.SoftwareSourceList += seperator + *hostInstalledSoftware.SoftwareSource
		}
		if hostInstalledSoftware.SoftwareExtensionFor != nil {
			*softwareTitleRecord.SoftwareExtensionForList += seperator + *hostInstalledSoftware.SoftwareExtensionFor
		}
		*softwareTitleRecord.VersionList += seperator + *hostInstalledSoftware.Version
		*softwareTitleRecord.BundleIdentifierList += seperator + *hostInstalledSoftware.BundleIdentifier
	}
}

func hostInstalledVpps(ds *Datastore, ctx context.Context, hostID uint) ([]*hostSoftware, error) {
	vppInstalledStmt := `
		SELECT
			vpp_apps.title_id AS id,
			hvsi.command_uuid AS last_install_install_uuid,
			hvsi.created_at AS last_install_installed_at,
			vpp_apps.adam_id AS vpp_app_adam_id,
			vpp_apps.latest_version AS vpp_app_version,
			vpp_apps.platform as vpp_app_platform,
			NULLIF(vpp_apps.icon_url, '') as vpp_app_icon_url,
			vpp_apps_teams.self_service AS vpp_app_self_service,
			'installed' AS status
		FROM
			host_vpp_software_installs hvsi
		INNER JOIN
			vpp_apps ON hvsi.adam_id = vpp_apps.adam_id AND hvsi.platform = vpp_apps.platform
		INNER JOIN
			vpp_apps_teams ON vpp_apps.adam_id = vpp_apps_teams.adam_id AND vpp_apps.platform = vpp_apps_teams.platform
		WHERE
			hvsi.host_id = ?
	`
	var vppInstalled []*hostSoftware
	err := sqlx.SelectContext(ctx, ds.reader(ctx), &vppInstalled, vppInstalledStmt, hostID)
	if err != nil {
		return nil, err
	}

	return vppInstalled, nil
}

func hostInstalledInHouses(ds *Datastore, ctx context.Context, hostID uint) ([]*hostSoftware, error) {
	installedStmt := `
		SELECT
			iha.title_id AS id,
			hihsi.command_uuid AS last_install_install_uuid,
			hihsi.created_at AS last_install_installed_at,
			iha.id AS in_house_app_id,
			iha.filename AS in_house_app_name,
			iha.version AS in_house_app_version,
			iha.platform as in_house_app_platform,
			iha.self_service AS in_house_app_self_service,
			'installed' AS status
		FROM
			host_in_house_software_installs hihsi
		INNER JOIN
			in_house_apps iha ON hihsi.in_house_app_id = iha.id
		WHERE
			hihsi.host_id = ?
	`
	var installed []*hostSoftware
	err := sqlx.SelectContext(ctx, ds.reader(ctx), &installed, installedStmt, hostID)
	if err != nil {
		return nil, err
	}

	return installed, nil
}

// hydrated is the base record from the db
// it contains most of the information we need to return back, however,
// we need to copy over the install/uninstall data from the softwareTitle we fetched
// from hostSoftwareInstalls and hostSoftwareUninstalls
func hydrateHostSoftwareRecordFromDb(hydrated *hostSoftware, softwareTitle *hostSoftware) {
	var version,
		platform string
	if hydrated.PackageVersion != nil {
		version = *hydrated.PackageVersion
	}
	if hydrated.PackagePlatform != nil {
		platform = *hydrated.PackagePlatform
	}
	hydrated.SoftwarePackage = &fleet.SoftwarePackageOrApp{
		Name:        *hydrated.PackageName,
		Version:     version,
		Platform:    platform,
		SelfService: hydrated.PackageSelfService,
	}

	// promote the last install info to the proper destination fields
	if softwareTitle.LastInstallInstallUUID != nil && *softwareTitle.LastInstallInstallUUID != "" {
		hydrated.SoftwarePackage.LastInstall = &fleet.HostSoftwareInstall{
			InstallUUID: *softwareTitle.LastInstallInstallUUID,
		}
		if softwareTitle.LastInstallInstalledAt != nil {
			hydrated.SoftwarePackage.LastInstall.InstalledAt = *softwareTitle.LastInstallInstalledAt
		}
	}

	// promote the last uninstall info to the proper destination fields
	if softwareTitle.LastUninstallScriptExecutionID != nil && *softwareTitle.LastUninstallScriptExecutionID != "" {
		hydrated.SoftwarePackage.LastUninstall = &fleet.HostSoftwareUninstall{
			ExecutionID: *softwareTitle.LastUninstallScriptExecutionID,
		}
		if softwareTitle.LastUninstallUninstalledAt != nil {
			hydrated.SoftwarePackage.LastUninstall.UninstalledAt = *softwareTitle.LastUninstallUninstalledAt
		}
	}
}

// softwareTitleRecord is the base record, we will be modifying it
func promoteSoftwareTitleVPPApp(softwareTitleRecord *hostSoftware) {
	var version,
		platform string
	if softwareTitleRecord.VPPAppVersion != nil {
		version = *softwareTitleRecord.VPPAppVersion
	}
	if softwareTitleRecord.VPPAppPlatform != nil {
		platform = *softwareTitleRecord.VPPAppPlatform
	}
	softwareTitleRecord.AppStoreApp = &fleet.SoftwarePackageOrApp{
		AppStoreID:  *softwareTitleRecord.VPPAppAdamID,
		Version:     version,
		Platform:    platform,
		SelfService: softwareTitleRecord.VPPAppSelfService,
	}
	softwareTitleRecord.IconUrl = softwareTitleRecord.VPPAppIconURL

	// promote the last install info to the proper destination fields
	if softwareTitleRecord.LastInstallInstallUUID != nil && *softwareTitleRecord.LastInstallInstallUUID != "" {
		softwareTitleRecord.AppStoreApp.LastInstall = &fleet.HostSoftwareInstall{
			CommandUUID: *softwareTitleRecord.LastInstallInstallUUID,
		}
		if softwareTitleRecord.LastInstallInstalledAt != nil {
			softwareTitleRecord.AppStoreApp.LastInstall.InstalledAt = *softwareTitleRecord.LastInstallInstalledAt
		}
	}
}

// softwareTitleRecord is the base record, we will be modifying it
func promoteSoftwareTitleInHouseApp(softwareTitleRecord *hostSoftware) {
	var version, platform string
	if softwareTitleRecord.InHouseAppVersion != nil {
		version = *softwareTitleRecord.InHouseAppVersion
	}
	if softwareTitleRecord.InHouseAppPlatform != nil {
		platform = *softwareTitleRecord.InHouseAppPlatform
	}
	softwareTitleRecord.SoftwarePackage = &fleet.SoftwarePackageOrApp{
		Name:        *softwareTitleRecord.InHouseAppName,
		Version:     version,
		Platform:    platform,
		SelfService: softwareTitleRecord.InHouseAppSelfService,
	}

	// promote the last install info to the proper destination fields
	if softwareTitleRecord.LastInstallInstallUUID != nil && *softwareTitleRecord.LastInstallInstallUUID != "" {
		softwareTitleRecord.SoftwarePackage.LastInstall = &fleet.HostSoftwareInstall{
			CommandUUID: *softwareTitleRecord.LastInstallInstallUUID,
		}
		if softwareTitleRecord.LastInstallInstalledAt != nil {
			softwareTitleRecord.SoftwarePackage.LastInstall.InstalledAt = *softwareTitleRecord.LastInstallInstalledAt
		}
	}
}

func (ds *Datastore) ListHostSoftware(ctx context.Context, host *fleet.Host, opts fleet.HostSoftwareTitleListOptions) ([]*fleet.HostSoftwareWithInstaller, *fleet.PaginationMetadata, error) {
	if !opts.VulnerableOnly && (opts.MinimumCVSS > 0 || opts.MaximumCVSS > 0 || opts.KnownExploit) {
		return nil, nil, fleet.NewInvalidArgumentError(
			"query", "min_cvss_score, max_cvss_score, and exploit can only be provided with vulnerable=true",
		)
	}

	var globalOrTeamID uint
	if host.TeamID != nil {
		globalOrTeamID = *host.TeamID
	}

	// By default, installer platform takes care of omitting incompatible packages, but for Linux platforms the installer
	// type is a bit too broad, so we filter further here. Note that we do *not* enforce this on installations, in case
	// an admin knows that e.g. alien is installed and wants to push a package anyway. We also don't check software
	// inventory for deb/rpm to match that way; this differs from the logic we use for auto-install queries for rpm/deb
	// packages.
	incompatibleExtensions := []string{"noop"}
	if fleet.IsLinux(host.Platform) {
		if !host.PlatformSupportsDebPackages() {
			incompatibleExtensions = append(incompatibleExtensions, "deb")
		}
		if !host.PlatformSupportsRpmPackages() {
			incompatibleExtensions = append(incompatibleExtensions, "rpm")
		}
	}

	namedArgs := map[string]any{
		"host_id":                 host.ID,
		"host_platform":           host.FleetPlatform(),
		"incompatible_extensions": incompatibleExtensions,
		"global_or_team_id":       globalOrTeamID,
		"is_mdm_enrolled":         opts.IsMDMEnrolled,
		"host_label_updated_at":   host.LabelUpdatedAt,
		"avail":                   opts.OnlyAvailableForInstall,
		"self_service":            opts.SelfServiceOnly,
		"min_cvss":                opts.MinimumCVSS,
		"max_cvss":                opts.MaximumCVSS,
		"vpp_apps_platforms":      fleet.AppStoreAppsPlatforms,
		"known_exploit":           1,
	}
	var hasCVEMetaFilters bool
	if opts.KnownExploit || opts.MinimumCVSS > 0 || opts.MaximumCVSS > 0 {
		hasCVEMetaFilters = true
	}

	bySoftwareTitleID := make(map[uint]*hostSoftware)
	bySoftwareID := make(map[uint]*hostSoftware)

	var err error
	var hostSoftwareInstallsList []*hostSoftware
	if opts.OnlyAvailableForInstall || opts.IncludeAvailableForInstall {
		hostSoftwareInstallsList, err = hostSoftwareInstalls(ds, ctx, host.ID)
		if err != nil {
			return nil, nil, err
		}
		for _, s := range hostSoftwareInstallsList {
			if _, ok := bySoftwareTitleID[s.ID]; !ok {
				bySoftwareTitleID[s.ID] = s
			} else {
				bySoftwareTitleID[s.ID].LastInstallInstalledAt = s.LastInstallInstalledAt
				bySoftwareTitleID[s.ID].LastInstallInstallUUID = s.LastInstallInstallUUID
			}
		}
	}

	hostSoftwareUninstalls, err := hostSoftwareUninstalls(ds, ctx, host.ID)
	uninstallQuarantineSet := make(map[uint]*hostSoftware)
	if err != nil {
		return nil, nil, err
	}
	for _, s := range hostSoftwareUninstalls {
		if _, ok := bySoftwareTitleID[s.ID]; !ok {
			if opts.OnlyAvailableForInstall || opts.IncludeAvailableForInstall {
				bySoftwareTitleID[s.ID] = s
			} else {
				uninstallQuarantineSet[s.ID] = s
			}
		} else if bySoftwareTitleID[s.ID].LastInstallInstalledAt == nil ||
			(s.LastUninstallUninstalledAt != nil && s.LastUninstallUninstalledAt.After(*bySoftwareTitleID[s.ID].LastInstallInstalledAt)) {

			// if the uninstall is more recent than the install, we should update the status
			bySoftwareTitleID[s.ID].Status = s.Status
			bySoftwareTitleID[s.ID].LastUninstallUninstalledAt = s.LastUninstallUninstalledAt
			bySoftwareTitleID[s.ID].LastUninstallScriptExecutionID = s.LastUninstallScriptExecutionID
			bySoftwareTitleID[s.ID].ExitCode = s.ExitCode

			if !opts.OnlyAvailableForInstall && !opts.IncludeAvailableForInstall {
				uninstallQuarantineSet[s.ID] = bySoftwareTitleID[s.ID]
				delete(bySoftwareTitleID, s.ID)
			}
		}
	}

	hostInstalledSoftware, err := hostInstalledSoftware(ds, ctx, host.ID)
	if err != nil {
		return nil, nil, err
	}
	hostInstalledSoftwareTitleSet := make(map[uint]struct{})
	hostInstalledSoftwareSet := make(map[uint]*hostSoftware)
	for _, pointerToSoftware := range hostInstalledSoftware {
		s := *pointerToSoftware
		if pointerToSoftware.LastOpenedAt != nil {
			timeCopy := *pointerToSoftware.LastOpenedAt
			s.LastOpenedAt = &timeCopy
		}

		if unInstalled, ok := uninstallQuarantineSet[s.ID]; ok {
			// We have an uninstall record according to host_software_installs,
			// however, osquery says the software is installed.
			// Put it back into the set of returned software
			bySoftwareTitleID[s.ID] = unInstalled
		}

		if _, ok := bySoftwareTitleID[s.ID]; !ok {
			sCopy := s
			bySoftwareTitleID[s.ID] = &sCopy
		} else if (bySoftwareTitleID[s.ID].LastOpenedAt == nil) ||
			(s.LastOpenedAt != nil && bySoftwareTitleID[s.ID].LastOpenedAt != nil &&
				s.LastOpenedAt.After(*bySoftwareTitleID[s.ID].LastOpenedAt)) {
			existing := bySoftwareTitleID[s.ID]
			existing.LastOpenedAt = s.LastOpenedAt
		}

		hostInstalledSoftwareTitleSet[s.ID] = struct{}{}
		if s.SoftwareID != nil {
			bySoftwareID[*s.SoftwareID] = pointerToSoftware
			hostInstalledSoftwareSet[*s.SoftwareID] = pointerToSoftware
		}
	}

	hostVPPInstalls, err := hostVPPInstalls(ds, ctx, host.ID, globalOrTeamID, opts.SelfServiceOnly, opts.IsMDMEnrolled)
	if err != nil {
		return nil, nil, err
	}
	byVPPAdamID := make(map[string]*hostSoftware)
	for _, s := range hostVPPInstalls {
		if s.VPPAppAdamID != nil {
			// If a VPP app is already installed on the host, we don't need to double count it
			// until we merge the two fetch queries later on in this method.
			// Until then if the host_software record is not a software installer, we delete it and keep the vpp app
			if _, exists := hostInstalledSoftwareTitleSet[s.ID]; exists {
				installedTitle := bySoftwareTitleID[s.ID]
				if installedTitle != nil && installedTitle.InstallerID == nil {
					// not a software installer, so copy over
					// the installed title information
					s.LastOpenedAt = installedTitle.LastOpenedAt
					s.SoftwareID = installedTitle.SoftwareID
					s.SoftwareSource = installedTitle.SoftwareSource
					s.SoftwareExtensionFor = installedTitle.SoftwareExtensionFor
					s.Version = installedTitle.Version
					s.BundleIdentifier = installedTitle.BundleIdentifier
					if !opts.VulnerableOnly && !hasCVEMetaFilters {
						// When we are filtering by vulnerable only
						// we want to treat the installed vpp app as a regular software title
						delete(bySoftwareTitleID, s.ID)
					}
					byVPPAdamID[*s.VPPAppAdamID] = s
				} else {
					continue
				}
			} else if opts.OnlyAvailableForInstall || opts.IncludeAvailableForInstall {
				byVPPAdamID[*s.VPPAppAdamID] = s
			}
		}
	}

	hostInHouseInstalls, err := hostInHouseInstalls(ds, ctx, host.ID, globalOrTeamID, opts.SelfServiceOnly, opts.IsMDMEnrolled)
	if err != nil {
		return nil, nil, err
	}
	byInHouseID := make(map[uint]*hostSoftware)
	for _, s := range hostInHouseInstalls {
		// If an in-house app is already installed on the host, we don't need to
		// double count it (what does that mean? copied from the VPP comment,
		// please clarify if you know) until we merge the two fetch queries later
		// on in this method. Until then if the host_software record is not a
		// software installer nor VPP app, we delete it and keep the in-house app.
		if _, exists := hostInstalledSoftwareTitleSet[s.ID]; exists {
			installedTitle := bySoftwareTitleID[s.ID]

			if installedTitle != nil && installedTitle.InstallerID == nil {
				// not a software installer, so copy over
				// the installed title information
				s.LastOpenedAt = installedTitle.LastOpenedAt
				s.SoftwareID = installedTitle.SoftwareID
				s.SoftwareSource = installedTitle.SoftwareSource
				s.SoftwareExtensionFor = installedTitle.SoftwareExtensionFor
				s.Version = installedTitle.Version
				s.BundleIdentifier = installedTitle.BundleIdentifier
				if !opts.VulnerableOnly && !hasCVEMetaFilters {
					// When we are filtering by vulnerable only
					// we want to treat the installed in-house app as a regular software title
					delete(bySoftwareTitleID, s.ID)
				}
				byInHouseID[*s.InHouseAppID] = s
			} else {
				continue
			}
		} else if opts.OnlyAvailableForInstall || opts.IncludeAvailableForInstall {
			byInHouseID[*s.InHouseAppID] = s
		}
	}

	hostInstalledVppsApps, err := hostInstalledVpps(ds, ctx, host.ID)
	if err != nil {
		return nil, nil, err
	}
	installedVppsByAdamID := make(map[string]*hostSoftware)
	for _, s := range hostInstalledVppsApps {
		if s.VPPAppAdamID != nil {
			installedVppsByAdamID[*s.VPPAppAdamID] = s
		}
	}

	hostVPPInstalledTitles := make(map[uint]*hostSoftware)
	for _, s := range installedVppsByAdamID {
		if _, ok := hostInstalledSoftwareTitleSet[s.ID]; ok {
			// we copied over all the installed title information
			// from bySoftwareTitleID, but deleted the record from the map
			// when going through hostVPPInstalls. Copy over the
			// data from the byVPPAdamID to hostVPPInstalledTitles
			// so we can later push to InstalledVersions
			installedTitle := byVPPAdamID[*s.VPPAppAdamID]
			if installedTitle == nil {
				// This can happen when mdm_enrolled is false
				// because in hostVPPInstalls we filter those out
				installedTitle = bySoftwareTitleID[s.ID]
			}
			if installedTitle == nil {
				// We somehow have a vpp app in host_vpp_software_installs,
				// however osquery didn't pick it up in inventory
				continue
			}
			s.SoftwareID = installedTitle.SoftwareID
			s.SoftwareSource = installedTitle.SoftwareSource
			s.SoftwareExtensionFor = installedTitle.SoftwareExtensionFor
			s.Version = installedTitle.Version
			s.BundleIdentifier = installedTitle.BundleIdentifier
		}
		if s.VPPAppAdamID != nil {
			// Override the status; if there's a pending re-install, we should show that status.
			if hs, ok := byVPPAdamID[*s.VPPAppAdamID]; ok {
				s.Status = hs.Status
			}
		}
		hostVPPInstalledTitles[s.ID] = s
	}

	hostInstalledInHouseApps, err := hostInstalledInHouses(ds, ctx, host.ID)
	if err != nil {
		return nil, nil, err
	}
	installedInHouseByID := make(map[uint]*hostSoftware)
	for _, s := range hostInstalledInHouseApps {
		if s.InHouseAppID != nil {
			installedInHouseByID[*s.InHouseAppID] = s
		}
	}

	hostInHouseInstalledTitles := make(map[uint]*hostSoftware)
	for _, s := range installedInHouseByID {
		if _, ok := hostInstalledSoftwareTitleSet[s.ID]; ok {
			// we copied over all the installed title information
			// from bySoftwareTitleID, but deleted the record from the map
			// when going through hostInHouseInstalls. Copy over the
			// data from the byInHouseID to hostInHouseInstalledTitles
			// so we can later push to InstalledVersions
			installedTitle := byInHouseID[*s.InHouseAppID]
			if installedTitle == nil {
				// This can happen when mdm_enrolled is false
				// because in hostInHouseInstalls we filter those out
				installedTitle = bySoftwareTitleID[s.ID]
			}
			if installedTitle == nil {
				// We somehow have an in-house app in host_in_house_software_installs,
				// however osquery didn't pick it up in inventory
				continue
			}
			s.SoftwareID = installedTitle.SoftwareID
			s.SoftwareSource = installedTitle.SoftwareSource
			s.SoftwareExtensionFor = installedTitle.SoftwareExtensionFor
			s.Version = installedTitle.Version
			s.BundleIdentifier = installedTitle.BundleIdentifier
		}
		if s.InHouseAppID != nil {
			// Override the status; if there's a pending re-install, we should show that status.
			if hs, ok := byInHouseID[*s.InHouseAppID]; ok {
				s.Status = hs.Status
			}
		}
		hostInHouseInstalledTitles[s.ID] = s
	}

	var stmtAvailable string

	if opts.OnlyAvailableForInstall || opts.IncludeAvailableForInstall {
		namedArgs["host_compatible_platforms"] = host.FleetPlatform()

		var availableSoftwareTitles []*hostSoftware

		if !opts.VulnerableOnly {
			stmtAvailable = `
				SELECT
				st.id,
				st.name,
				st.source,
				st.extension_for,
				st.upgrade_code,
				si.id as installer_id,
				si.self_service as package_self_service,
				si.filename as package_name,
				si.version as package_version,
				si.platform as package_platform,
				vat.self_service as vpp_app_self_service,
				vat.adam_id as vpp_app_adam_id,
				vap.latest_version as vpp_app_version,
				vap.platform as vpp_app_platform,
				NULLIF(vap.icon_url, '') as vpp_app_icon_url,
				iha.id as in_house_app_id,
				iha.filename as in_house_app_name,
				iha.version as in_house_app_version,
				iha.platform as in_house_app_platform,
				iha.self_service as in_house_app_self_service,
				NULL as last_install_installed_at,
				NULL as last_install_install_uuid,
				NULL as last_uninstall_uninstalled_at,
				NULL as last_uninstall_script_execution_id,
				NULL as status
			FROM
				software_titles st
			LEFT OUTER JOIN
				-- filter out software that is not available for install on the host's platform
				software_installers si ON st.id = si.title_id AND si.platform = :host_compatible_platforms AND si.extension NOT IN (:incompatible_extensions) AND si.global_or_team_id = :global_or_team_id
			LEFT OUTER JOIN
				-- include VPP apps only if the host is on a supported platform
				vpp_apps vap ON st.id = vap.title_id AND :host_platform IN (:vpp_apps_platforms)
			LEFT OUTER JOIN
				vpp_apps_teams vat ON vap.adam_id = vat.adam_id AND vap.platform = vat.platform AND vat.global_or_team_id = :global_or_team_id
			LEFT OUTER JOIN
				in_house_apps iha ON iha.title_id = st.id AND iha.platform = :host_compatible_platforms AND iha.global_or_team_id = :global_or_team_id
			WHERE
				-- software is not installed on host (but is available in host's team)
				NOT EXISTS (
					SELECT 1
					FROM
						host_software hs
					INNER JOIN
						software s ON hs.software_id = s.id
					WHERE
						hs.host_id = :host_id AND
						s.title_id = st.id
				) AND
				-- sofware install has not been attempted on host
				NOT EXISTS (
					SELECT 1
					FROM
						host_software_installs hsi
					WHERE
						hsi.host_id = :host_id AND
						hsi.software_installer_id = si.id AND
						hsi.removed = 0 AND
						hsi.canceled = 0
				) AND
				-- sofware install/uninstall is not upcoming on host
				NOT EXISTS (
					SELECT 1
					FROM
						upcoming_activities ua
						INNER JOIN
							software_install_upcoming_activities siua ON siua.upcoming_activity_id = ua.id
					WHERE
						ua.host_id = :host_id AND
						ua.activity_type IN ('software_install', 'software_uninstall') AND
						siua.software_installer_id = si.id
				) AND
				-- VPP install has not been attempted on host
				NOT EXISTS (
					SELECT 1
					FROM
						host_vpp_software_installs hvsi
					WHERE
						hvsi.host_id = :host_id AND
						hvsi.adam_id = vat.adam_id AND
						hvsi.removed = 0 AND
						hvsi.canceled = 0
				) AND
				-- VPP install is not upcoming on host
				NOT EXISTS (
					SELECT 1
					FROM
						upcoming_activities ua
						INNER JOIN
							vpp_app_upcoming_activities vaua ON vaua.upcoming_activity_id = ua.id
					WHERE
						ua.host_id = :host_id AND
						ua.activity_type = 'vpp_app_install' AND
						vaua.adam_id = vat.adam_id
				) AND
				-- in-house install has not been attempted on host
				NOT EXISTS (
					SELECT 1
					FROM
						host_in_house_software_installs hihsi
					WHERE
						hihsi.host_id = :host_id AND
						hihsi.in_house_app_id = iha.id AND
						hihsi.removed = 0 AND
						hihsi.canceled = 0
				) AND
				-- in-house install is not upcoming on host
				NOT EXISTS (
					SELECT 1
					FROM
						upcoming_activities ua
						INNER JOIN
							in_house_app_upcoming_activities ihua ON ihua.upcoming_activity_id = ua.id
					WHERE
						ua.host_id = :host_id AND
						ua.activity_type = 'in_house_app_install' AND
						ihua.in_house_app_id = iha.id
				) AND
				-- either the software installer or the vpp app or the in-house app exists for the host's team
				( si.id IS NOT NULL OR vat.platform = :host_platform OR iha.id IS NOT NULL ) AND
				-- label membership check
				(
					-- do the label membership check for software installers and VPP apps and in-house apps
						EXISTS (

						SELECT 1 FROM (

							-- no labels
							SELECT 0 AS count_installer_labels, 0 AS count_host_labels, 0 as count_host_updated_after_labels
							WHERE
								NOT EXISTS (SELECT 1 FROM software_installer_labels sil WHERE sil.software_installer_id = si.id) AND
								NOT EXISTS (SELECT 1 FROM vpp_app_team_labels vatl WHERE vatl.vpp_app_team_id = vat.id) AND
								NOT EXISTS (SELECT 1 FROM in_house_app_labels ihl WHERE ihl.in_house_app_id = iha.id)

							UNION

							-- include any for software installers
							SELECT
								COUNT(*) AS count_installer_labels,
								COUNT(lm.label_id) AS count_host_labels,
								0 as count_host_updated_after_labels
							FROM
								software_installer_labels sil
								LEFT OUTER JOIN label_membership lm ON lm.label_id = sil.label_id
								AND lm.host_id = :host_id
							WHERE
								sil.software_installer_id = si.id
								AND sil.exclude = 0
							HAVING
								count_installer_labels > 0 AND count_host_labels > 0

							UNION

							-- exclude any for software installers, ignore software that depends on labels created
							-- _after_ the label_updated_at timestamp of the host (because
							-- we don't have results for that label yet, the host may or may
							-- not be a member).
							SELECT
								COUNT(*) AS count_installer_labels,
								COUNT(lm.label_id) AS count_host_labels,
								SUM(
									CASE WHEN lbl.label_membership_type <> 1 AND lbl.created_at IS NOT NULL AND :host_label_updated_at >= lbl.created_at THEN 1
									WHEN lbl.label_membership_type = 1 AND lbl.created_at IS NOT NULL THEN 1
									ELSE 0 END) as count_host_updated_after_labels
							FROM
								software_installer_labels sil
								LEFT OUTER JOIN labels lbl
									ON lbl.id = sil.label_id
								LEFT OUTER JOIN label_membership lm
									ON lm.label_id = sil.label_id AND lm.host_id = :host_id
							WHERE
								sil.software_installer_id = si.id
								AND sil.exclude = 1
							HAVING
								count_installer_labels > 0 AND count_installer_labels = count_host_updated_after_labels AND count_host_labels = 0

							UNION

							-- include any for VPP apps
							SELECT
								COUNT(*) AS count_installer_labels,
								COUNT(lm.label_id) AS count_host_labels,
								0 as count_host_updated_after_labels
							FROM
								vpp_app_team_labels vatl
								LEFT OUTER JOIN label_membership lm ON lm.label_id = vatl.label_id
								AND lm.host_id = :host_id
							WHERE
								vatl.vpp_app_team_id = vat.id
								AND vatl.exclude = 0
							HAVING
								count_installer_labels > 0 AND count_host_labels > 0

							UNION

							-- exclude any for VPP apps
							SELECT
								COUNT(*) AS count_installer_labels,
								COUNT(lm.label_id) AS count_host_labels,
								SUM(CASE
								WHEN lbl.created_at IS NOT NULL AND lbl.label_membership_type = 0 AND :host_label_updated_at >= lbl.created_at THEN 1
								WHEN lbl.created_at IS NOT NULL AND lbl.label_membership_type = 1 THEN 1
								ELSE 0 END) as count_host_updated_after_labels
							FROM
								vpp_app_team_labels vatl
								LEFT OUTER JOIN labels lbl
									ON lbl.id = vatl.label_id
								LEFT OUTER JOIN label_membership lm
									ON lm.label_id = vatl.label_id AND lm.host_id = :host_id
							WHERE
								vatl.vpp_app_team_id = vat.id
								AND vatl.exclude = 1
							HAVING
								count_installer_labels > 0 AND count_installer_labels = count_host_updated_after_labels AND count_host_labels = 0

							UNION

							-- include any for in-house apps
							SELECT
								COUNT(*) AS count_installer_labels,
								COUNT(lm.label_id) AS count_host_labels,
								0 as count_host_updated_after_labels
							FROM
								in_house_app_labels ihl
								LEFT OUTER JOIN label_membership lm ON lm.label_id = ihl.label_id AND lm.host_id = :host_id
							WHERE
								ihl.in_house_app_id = iha.id
								AND ihl.exclude = 0
							HAVING
								count_installer_labels > 0 AND count_host_labels > 0

							UNION

							-- exclude any for in-house apps
							SELECT
								COUNT(*) AS count_installer_labels,
								COUNT(lm.label_id) AS count_host_labels,
								SUM(CASE
								WHEN lbl.created_at IS NOT NULL AND lbl.label_membership_type = 0 AND :host_label_updated_at >= lbl.created_at THEN 1
								WHEN lbl.created_at IS NOT NULL AND lbl.label_membership_type = 1 THEN 1
								ELSE 0 END) as count_host_updated_after_labels
							FROM
								in_house_app_labels ihl
								LEFT OUTER JOIN labels lbl ON lbl.id = ihl.label_id
								LEFT OUTER JOIN label_membership lm ON lm.label_id = ihl.label_id AND lm.host_id = :host_id
							WHERE
								ihl.in_house_app_id = iha.id AND
								ihl.exclude = 1
							HAVING
								count_installer_labels > 0 AND count_installer_labels = count_host_updated_after_labels AND count_host_labels = 0
							) t
						)
				)
			`
			if opts.SelfServiceOnly {
				stmtAvailable += "\nAND ( si.self_service = 1 OR ( vat.self_service = 1 AND :is_mdm_enrolled ) OR ( iha.self_service = 1 AND :is_mdm_enrolled ) )"
			}

			if !opts.IsMDMEnrolled {
				// both VPP apps and in-house apps require MDM
				stmtAvailable += "\nAND vat.id IS NULL AND iha.id IS NULL"
			}

			stmtAvailable, args, err := sqlx.Named(stmtAvailable, namedArgs)
			if err != nil {
				return nil, nil, err
			}
			stmtAvailable, args, err = sqlx.In(stmtAvailable, args...)
			if err != nil {
				return nil, nil, err
			}

			err = sqlx.SelectContext(ctx, ds.reader(ctx), &availableSoftwareTitles, stmtAvailable, args...)
			if err != nil {
				return nil, nil, err
			}
		}

		// These slices are meant to keep track of software that is available for install.
		// When we are filtering by `OnlyAvailableForInstall`, we will replace the existing
		// software title records held in bySoftwareTitleID, byVPPAdamID and byInHouseID.
		// If we are just using the `IncludeAvailableForInstall` options, we will simply
		// add these addtional software titles to bySoftwareTitleID, byVPPAdamID and byInHouseID.
		tmpBySoftwareTitleID := make(map[uint]*hostSoftware, len(availableSoftwareTitles))
		tmpByVPPAdamID := make(map[string]*hostSoftware, len(byVPPAdamID))
		tmpByInHouseID := make(map[uint]*hostSoftware, len(byInHouseID))
		if opts.OnlyAvailableForInstall {
			// drop in anything that has been installed or uninstalled as it can be installed again regardless of status
			for _, s := range hostSoftwareUninstalls {
				tmpBySoftwareTitleID[s.ID] = s
			}
			if !opts.VulnerableOnly {
				for _, s := range hostSoftwareInstallsList {
					tmpBySoftwareTitleID[s.ID] = s
				}
				for _, s := range hostVPPInstalls {
					tmpByVPPAdamID[*s.VPPAppAdamID] = s
				}
				for _, s := range hostInHouseInstalls {
					tmpByInHouseID[*s.InHouseAppID] = s
				}
			}
		}
		// NOTE: label conditions are applied in a subsequent step
		// software installed on the host not by fleet and there exists a software installer that matches this software
		// so that makes it available for install
		installedInstallersSql := `
			SELECT
				software.title_id,
				software_installers.id AS installer_id,
				software_installers.self_service AS package_self_service
			FROM
				host_software
			INNER JOIN
				software ON host_software.software_id = software.id
			INNER JOIN
				software_installers ON software.title_id = software_installers.title_id
				  AND software_installers.platform = ?
				  AND software_installers.global_or_team_id = ?
			WHERE host_software.host_id = ?
			`
		type InstalledSoftwareTitle struct {
			TitleID     uint `db:"title_id"`
			InstallerID uint `db:"installer_id"`
			SelfService bool `db:"package_self_service"`
		}
		var installedSoftwareTitleIDs []InstalledSoftwareTitle
		err = sqlx.SelectContext(ctx, ds.reader(ctx), &installedSoftwareTitleIDs, installedInstallersSql, namedArgs["host_compatible_platforms"], globalOrTeamID, host.ID)
		if err != nil {
			return nil, nil, err
		}
		for _, s := range installedSoftwareTitleIDs {
			if software := bySoftwareTitleID[s.TitleID]; software != nil {
				software.InstallerID = &s.InstallerID
				software.PackageSelfService = &s.SelfService
				tmpBySoftwareTitleID[s.TitleID] = software
			}
		}
		if !opts.SelfServiceOnly || (opts.SelfServiceOnly && opts.IsMDMEnrolled) {
			// NOTE: label conditions are applied in a subsequent step
			// software installed on the host not by fleet and there exists a vpp app that matches this software
			// so that makes it available for install
			installedVPPAppsSql := `
				SELECT
					vpp_apps.title_id AS id,
					vpp_apps.adam_id AS vpp_app_adam_id,
					vpp_apps.latest_version AS vpp_app_version,
					vpp_apps.platform as vpp_app_platform,
					NULLIF(vpp_apps.icon_url, '') as vpp_app_icon_url,
					vpp_apps_teams.self_service AS vpp_app_self_service
				FROM
					host_software
				INNER JOIN
					software ON host_software.software_id = software.id
				INNER JOIN
					vpp_apps ON software.title_id = vpp_apps.title_id AND :host_platform IN (:vpp_apps_platforms)
				INNER JOIN
					vpp_apps_teams ON vpp_apps.adam_id = vpp_apps_teams.adam_id AND vpp_apps.platform = vpp_apps_teams.platform AND vpp_apps_teams.global_or_team_id = :global_or_team_id
				WHERE
					host_software.host_id = :host_id
				`
			installedVPPAppsSql, args, err := sqlx.Named(installedVPPAppsSql, namedArgs)
			if err != nil {
				return nil, nil, err
			}
			installedVPPAppsSql, args, err = sqlx.In(installedVPPAppsSql, args...)
			if err != nil {
				return nil, nil, err
			}
			var installedVPPAppIDs []*hostSoftware
			err = sqlx.SelectContext(ctx, ds.reader(ctx), &installedVPPAppIDs, installedVPPAppsSql, args...)
			if err != nil {
				return nil, nil, err
			}
			for _, s := range installedVPPAppIDs {
				if s.VPPAppAdamID != nil {
					if tmpByVPPAdamID[*s.VPPAppAdamID] == nil {
						// inventoried by osquery, but not installed by fleet
						tmpByVPPAdamID[*s.VPPAppAdamID] = s
					} else {
						// inventoried by osquery, but installed by fleet
						// We want to preserve the install information from host_vpp_software_installs
						// so don't overwrite the existing record
						tmpByVPPAdamID[*s.VPPAppAdamID].VPPAppVersion = s.VPPAppVersion
						tmpByVPPAdamID[*s.VPPAppAdamID].VPPAppPlatform = s.VPPAppPlatform
						tmpByVPPAdamID[*s.VPPAppAdamID].VPPAppIconURL = s.VPPAppIconURL
					}
				}
				if VPPAppByFleet, ok := hostVPPInstalledTitles[s.ID]; ok {
					// Vpp app installed by fleet, so we need to copy over the status,
					// because all fleet installed apps show an installed status if available
					tmpByVPPAdamID[*s.VPPAppAdamID].Status = VPPAppByFleet.Status
				}
				// If a VPP app is installed on the host, but not by fleet
				// it will be present in bySoftwareTitleID, because osquery returned it as inventory.
				// We need to remove it from bySoftwareTitleID and add it to byVPPAdamID
				if inventoriedSoftware, ok := bySoftwareTitleID[s.ID]; ok {
					inventoriedSoftware.VPPAppAdamID = s.VPPAppAdamID
					inventoriedSoftware.VPPAppVersion = s.VPPAppVersion
					inventoriedSoftware.VPPAppPlatform = s.VPPAppPlatform
					inventoriedSoftware.VPPAppIconURL = s.VPPAppIconURL
					inventoriedSoftware.VPPAppSelfService = s.VPPAppSelfService
					if !opts.VulnerableOnly && !hasCVEMetaFilters {
						// When we are filtering by vulnerable only
						// we want to treat the installed vpp app as a regular software title
						delete(bySoftwareTitleID, s.ID)
						byVPPAdamID[*s.VPPAppAdamID] = inventoriedSoftware
					}
					hostVPPInstalledTitles[s.ID] = inventoriedSoftware
				}
			}

			// NOTE: label conditions are applied in a subsequent step
			// software installed on the host not by fleet and there exists an
			// in-house app that matches this software so that makes it available for
			// install
			installedInHouseAppsSql := `
				SELECT
					iha.title_id AS id,
					iha.id AS in_house_app_id,
					iha.filename AS in_house_app_name,
					iha.version AS in_house_app_version,
					iha.platform as in_house_app_platform,
					iha.self_service AS in_house_app_self_service
				FROM
					host_software
				INNER JOIN
					software ON host_software.software_id = software.id
				INNER JOIN
					in_house_apps iha ON software.title_id = iha.title_id AND iha.global_or_team_id = :global_or_team_id  AND iha.platform = :host_compatible_platforms
				WHERE
					host_software.host_id = :host_id
				`
			installedInHouseAppsSql, args, err = sqlx.Named(installedInHouseAppsSql, namedArgs)
			if err != nil {
				return nil, nil, err
			}
			installedInHouseAppsSql, args, err = sqlx.In(installedInHouseAppsSql, args...)
			if err != nil {
				return nil, nil, err
			}
			var installedInHouseAppIDs []*hostSoftware
			err = sqlx.SelectContext(ctx, ds.reader(ctx), &installedInHouseAppIDs, installedInHouseAppsSql, args...)
			if err != nil {
				return nil, nil, err
			}
			for _, s := range installedInHouseAppIDs {
				if s.InHouseAppID != nil {
					if tmpByInHouseID[*s.InHouseAppID] == nil {
						// inventoried, but not installed by fleet
						tmpByInHouseID[*s.InHouseAppID] = s
					} else {
						// inventoried, but installed by fleet
						// We want to preserve the install information from host_in_house_software_installs
						// so don't overwrite the existing record
						tmpByInHouseID[*s.InHouseAppID].InHouseAppVersion = s.InHouseAppVersion
						tmpByInHouseID[*s.InHouseAppID].InHouseAppPlatform = s.InHouseAppPlatform
						tmpByInHouseID[*s.InHouseAppID].InHouseAppName = s.InHouseAppName
					}
				}
				if inHouseAppByFleet, ok := hostInHouseInstalledTitles[s.ID]; ok {
					// In-house app installed by fleet, so we need to copy over the status,
					// because all fleet installed apps show an installed status if available
					tmpByInHouseID[*s.InHouseAppID].Status = inHouseAppByFleet.Status
				}
				// If an in-house app is installed on the host, but not by fleet
				// it will be present in bySoftwareTitleID, because osquery returned it as inventory.
				// We need to remove it from bySoftwareTitleID and add it to byInHouseID
				if inventoriedSoftware, ok := bySoftwareTitleID[s.ID]; ok {
					inventoriedSoftware.InHouseAppID = s.InHouseAppID
					inventoriedSoftware.InHouseAppVersion = s.InHouseAppVersion
					inventoriedSoftware.InHouseAppPlatform = s.InHouseAppPlatform
					inventoriedSoftware.InHouseAppName = s.InHouseAppName
					inventoriedSoftware.InHouseAppSelfService = s.InHouseAppSelfService
					if !opts.VulnerableOnly && !hasCVEMetaFilters {
						// When we are filtering by vulnerable only
						// we want to treat the installed in-house app as a regular software title
						delete(bySoftwareTitleID, s.ID)
						byInHouseID[*s.InHouseAppID] = inventoriedSoftware
					}
					hostInHouseInstalledTitles[s.ID] = inventoriedSoftware
				}
			}
		}

		for _, s := range availableSoftwareTitles {
			switch {
			case s.VPPAppAdamID != nil:
				// VPP app
				existingVPP, found := byVPPAdamID[*s.VPPAppAdamID]
				if opts.OnlyAvailableForInstall {
					if !found {
						tmpByVPPAdamID[*s.VPPAppAdamID] = s
					} else {
						tmpByVPPAdamID[*s.VPPAppAdamID] = existingVPP
					}
				} else {
					// We have an existing vpp record in an installed or pending state, do not overwrite with the
					// one that's available for install. We would lose specifics about the installed version
					if !found {
						byVPPAdamID[*s.VPPAppAdamID] = s
					}
				}

			case s.InHouseAppID != nil:
				// In-house app
				existing, found := byInHouseID[*s.InHouseAppID]
				if opts.OnlyAvailableForInstall {
					if !found {
						tmpByInHouseID[*s.InHouseAppID] = s
					} else {
						tmpByInHouseID[*s.InHouseAppID] = existing
					}
				} else {
					// We have an existing in-house record in an installed or pending state, do not overwrite with the
					// one that's available for install. We would lose specifics about the installed version
					if !found {
						byInHouseID[*s.InHouseAppID] = s
					}
				}

			default:
				existingSoftware, found := bySoftwareTitleID[s.ID]
				if opts.OnlyAvailableForInstall {
					if !found {
						tmpBySoftwareTitleID[s.ID] = s
					} else {
						tmpBySoftwareTitleID[s.ID] = existingSoftware
					}
				} else {
					// We have an existing software record in an installed or pending state, do not overwrite with the
					// one that's available for install. We would lose specifics about the previous record
					if !found {
						bySoftwareTitleID[s.ID] = s
					}
				}
			}
		}
		// Clear out all the previous software titles as we are only filtering for available software
		if opts.OnlyAvailableForInstall {
			bySoftwareTitleID = tmpBySoftwareTitleID
			byVPPAdamID = tmpByVPPAdamID
			byInHouseID = tmpByInHouseID
		}
	}

	// filter out software installers due to label scoping
	filteredBySoftwareTitleID, err := filterSoftwareInstallersByLabel(
		ds,
		ctx,
		host,
		bySoftwareTitleID,
	)
	if err != nil {
		return nil, nil, err
	}

	// filter out VPP apps due to label scoping
	filteredByVPPAdamID, otherVppAppsInInventory, err := filterVPPAppsByLabel(
		ds,
		ctx,
		host,
		byVPPAdamID,
		hostVPPInstalledTitles,
	)
	if err != nil {
		return nil, nil, err
	}

	// filter out in-house apps due to label scoping
	filteredByInHouseID, otherInHouseAppsInInventory, err := filterInHouseAppsByLabel(
		ds,
		ctx,
		host,
		byInHouseID,
		hostInHouseInstalledTitles,
	)
	if err != nil {
		return nil, nil, err
	}

	// We ignored the VPP apps that were installed on the host while filtering in filterSoftwareInstallersByLabel
	// so we need to add them back in if they are allowed by filterVppAppsByLabel
	for _, value := range otherVppAppsInInventory {
		if st, ok := bySoftwareTitleID[value.ID]; ok {
			filteredBySoftwareTitleID[value.ID] = st
		}
	}

	// We ignored the in-house apps that were installed on the host while filtering in filterSoftwareInstallersByLabel
	// so we need to add them back in if they are allowed by filterInHouseAppsByLabel
	for _, value := range otherInHouseAppsInInventory {
		if st, ok := bySoftwareTitleID[value.ID]; ok {
			filteredBySoftwareTitleID[value.ID] = st
		}
	}

	if opts.OnlyAvailableForInstall {
		bySoftwareTitleID = filteredBySoftwareTitleID
		byVPPAdamID = filteredByVPPAdamID
		byInHouseID = filteredByInHouseID
	}
	// self service impacts inventory, when a software title is excluded because of a filter,
	// it should be excluded from the inventory as well, because we cannot "reinstall" it on the self service page
	if opts.SelfServiceOnly {
		for _, software := range bySoftwareTitleID {
			if software.PackageSelfService != nil && *software.PackageSelfService {
				if filteredBySoftwareTitleID[software.ID] == nil {
					// remove the software title from bySoftwareTitleID
					delete(bySoftwareTitleID, software.ID)
				}
			}
		}
		for vppAppAdamID, software := range byVPPAdamID {
			if software.VPPAppSelfService != nil && *software.VPPAppSelfService {
				if filteredByVPPAdamID[vppAppAdamID] == nil {
					// remove the software title from byVPPAdamID
					delete(byVPPAdamID, vppAppAdamID)
				}
			}
		}
		for inHouseID, software := range byInHouseID {
			if software.InHouseAppSelfService != nil && *software.InHouseAppSelfService {
				if filteredByInHouseID[inHouseID] == nil {
					// remove the software title from byInHouseID
					delete(byInHouseID, inHouseID)
				}
			}
		}
	}

	// since these host installed vpp apps/in-house apps are already added in bySoftwareTitleID,
	// we need to avoid adding them to byVPPAdamID/byInHouseID
	// but we need to store them in filteredBy{VPPAdamID,InHouseID} so they are able to be
	// promoted when returning the software title
	for key, value := range otherVppAppsInInventory {
		if _, ok := filteredByVPPAdamID[key]; !ok {
			filteredByVPPAdamID[key] = value
		}
	}
	for key, value := range otherInHouseAppsInInventory {
		if _, ok := filteredByInHouseID[key]; !ok {
			filteredByInHouseID[key] = value
		}
	}

	var softwareTitleIDs []uint
	for softwareTitleID := range bySoftwareTitleID {
		softwareTitleIDs = append(softwareTitleIDs, softwareTitleID)
	}

	var softwareIDs []uint
	for softwareID := range bySoftwareID {
		softwareIDs = append(softwareIDs, softwareID)
	}

	var vppAdamIDs []string
	var vppTitleIDs []uint
	for key, v := range byVPPAdamID {
		vppAdamIDs = append(vppAdamIDs, key)
		vppTitleIDs = append(vppTitleIDs, v.ID)
	}

	var inHouseIDs []uint
	var inHouseTitleIDs []uint
	for key, v := range byInHouseID {
		inHouseIDs = append(inHouseIDs, key)
		inHouseTitleIDs = append(inHouseTitleIDs, v.ID)
	}

	var titleCount uint
	var hostSoftwareList []*hostSoftware
	if len(softwareTitleIDs) > 0 || len(vppAdamIDs) > 0 || len(inHouseIDs) > 0 {
		var (
			args                   []interface{}
			stmt                   string
			softwareTitleStatement string
			vppAdamStatment        string
		)

		matchClause := ""
		matchArgs := []interface{}{}
		if opts.ListOptions.MatchQuery != "" {
			matchClause, matchArgs = searchLike(matchClause, matchArgs, opts.ListOptions.MatchQuery, "software_titles.name")
		}

		var (
			softwareOnlySelfServiceClause string
			vppOnlySelfServiceClause      string
			inHouseOnlySelfServiceClause  string
		)
		if opts.SelfServiceOnly {
			softwareOnlySelfServiceClause = ` AND software_installers.self_service = 1 `
			if opts.IsMDMEnrolled {
				vppOnlySelfServiceClause = ` AND vpp_apps_teams.self_service = 1 `
				inHouseOnlySelfServiceClause = ` AND in_house_apps.self_service = 1 `
			}
		}

		var cveMetaFilter string
		var cveMatchClause string
		var cveNamedArgs []interface{}
		var cveMatchArgs []interface{}
		if opts.KnownExploit {
			cveMetaFilter += "\nAND cve_meta.cisa_known_exploit = :known_exploit"
		}
		if opts.MinimumCVSS > 0 {
			cveMetaFilter += "\nAND cve_meta.cvss_score >= :min_cvss"
		}
		if opts.MaximumCVSS > 0 {
			cveMetaFilter += "\nAND cve_meta.cvss_score <= :max_cvss"
		}
		if hasCVEMetaFilters {
			cveMetaFilter, cveNamedArgs, err = sqlx.Named(cveMetaFilter, namedArgs)
			if err != nil {
				return nil, nil, ctxerr.Wrap(ctx, err, "build named query for cve meta filters")
			}
		}
		if opts.ListOptions.MatchQuery != "" {
			cveMatchClause, cveMatchArgs = searchLike(cveMatchClause, cveMatchArgs, opts.ListOptions.MatchQuery, "software_cve.cve")
		}

		var softwareVulnerableJoin string
		if len(softwareTitleIDs) > 0 {
			if opts.VulnerableOnly || opts.ListOptions.MatchQuery != "" {
				softwareVulnerableJoin += " AND ( "
				if !opts.VulnerableOnly && opts.ListOptions.MatchQuery != "" {
					softwareVulnerableJoin += `
					    -- Software without vulnerabilities
						(
							NOT EXISTS (
								SELECT 1
								FROM
									software_cve
								WHERE
									software_cve.software_id = software.id
							) ` + matchClause + `
					    ) OR
					`
				}

				softwareVulnerableJoin += `
				-- Software with vulnerabilities
				EXISTS (
					SELECT 1
					FROM
						software_cve
				`
				cveMetaJoin := "\n INNER JOIN cve_meta ON software_cve.cve = cve_meta.cve"

				// Only join CVE table if there are filters
				if hasCVEMetaFilters {
					softwareVulnerableJoin += cveMetaJoin
				}
				softwareVulnerableJoin += `
					WHERE
						software_cve.software_id = software.id
				`
				softwareVulnerableJoin += cveMetaFilter
				softwareVulnerableJoin += "\n" + strings.ReplaceAll(cveMatchClause, "AND", "AND (")
				softwareVulnerableJoin += strings.ReplaceAll(matchClause, "AND", "OR") + ")"
				softwareVulnerableJoin += "\n)"
				if !opts.VulnerableOnly || opts.ListOptions.MatchQuery != "" {
					softwareVulnerableJoin += ")"
				}
			}

			installedSoftwareJoinsCondition := ""
			if len(softwareIDs) > 0 {
				installedSoftwareJoinsCondition = `AND software.id IN (?)`
			}

			softwareTitleStatement = `
			-- SELECT for software
			%s
			FROM
				software_titles
			LEFT JOIN
				software_installers ON software_titles.id = software_installers.title_id
				AND software_installers.global_or_team_id = :global_or_team_id
			LEFT JOIN
				software ON software_titles.id = software.title_id ` + installedSoftwareJoinsCondition + `
			WHERE
				software_titles.id IN (?)
			%s
			` + softwareOnlySelfServiceClause + `
			-- GROUP by for software
			%s
			`

			var softwareTitleArgs []interface{}
			if len(softwareIDs) > 0 {
				softwareTitleStatement, softwareTitleArgs, err = sqlx.In(softwareTitleStatement, softwareIDs, softwareTitleIDs)
			} else {
				softwareTitleStatement, softwareTitleArgs, err = sqlx.In(softwareTitleStatement, softwareTitleIDs)
			}
			if err != nil {
				return nil, nil, ctxerr.Wrap(ctx, err, "expand IN query for software titles")
			}
			softwareTitleStatement, softwareTitleArgsNamedArgs, err := sqlx.Named(softwareTitleStatement, namedArgs)
			if err != nil {
				return nil, nil, ctxerr.Wrap(ctx, err, "build named query for software titles")
			}
			args = append(args, softwareTitleArgsNamedArgs...)
			args = append(args, softwareTitleArgs...)
			if len(cveNamedArgs) > 0 {
				args = append(args, cveNamedArgs...)
			}
			if len(cveMatchArgs) > 0 {
				args = append(args, cveMatchArgs...)
			}
			if len(matchArgs) > 0 {
				args = append(args, matchArgs...)
				// Have to conditionally add the additional match for software without vulnerabilities
				if !opts.VulnerableOnly && opts.ListOptions.MatchQuery != "" {
					args = append(args, matchArgs...)
				}
			}
			stmt += softwareTitleStatement
		}

		if !opts.VulnerableOnly && len(vppAdamIDs) > 0 {
			if len(softwareTitleIDs) > 0 {
				vppAdamStatment = ` UNION `
			}

			vppAdamStatment += `
			-- SELECT for vpp apps
			%s
			FROM
				software_titles
			INNER JOIN
				vpp_apps ON software_titles.id = vpp_apps.title_id AND vpp_apps.platform = :host_platform
			INNER JOIN
				vpp_apps_teams ON vpp_apps.adam_id = vpp_apps_teams.adam_id AND vpp_apps.platform = vpp_apps_teams.platform AND vpp_apps_teams.global_or_team_id = :global_or_team_id
			WHERE
				vpp_apps.adam_id IN (?)
				AND true
			` + vppOnlySelfServiceClause + `
			-- GROUP BY for vpp apps
			%s
			`

			vppAdamStatement, vppAdamArgs, err := sqlx.In(vppAdamStatment, vppAdamIDs)
			if err != nil {
				return nil, nil, ctxerr.Wrap(ctx, err, "expand IN query for vpp titles")
			}
			vppAdamStatement, vppAdamArgsNamedArgs, err := sqlx.Named(vppAdamStatement, namedArgs)
			if err != nil {
				return nil, nil, ctxerr.Wrap(ctx, err, "build named query for vpp titles")
			}
			vppAdamStatement = strings.ReplaceAll(vppAdamStatement, "AND true", matchClause)
			args = append(args, vppAdamArgsNamedArgs...)
			args = append(args, vppAdamArgs...)
			if len(matchArgs) > 0 {
				args = append(args, matchArgs...)
			}
			stmt += vppAdamStatement
		}

		if !opts.VulnerableOnly && len(inHouseIDs) > 0 {
			var inHouseStmt string
			if len(softwareTitleIDs) > 0 || len(vppAdamIDs) > 0 {
				inHouseStmt = ` UNION `
			}

			inHouseStmt += `
			-- SELECT for in-house apps
			%s
			FROM
				software_titles
			INNER JOIN in_house_apps ON
				software_titles.id = in_house_apps.title_id AND in_house_apps.platform = :host_platform AND in_house_apps.global_or_team_id = :global_or_team_id
			WHERE
				in_house_apps.id IN (?)
				AND true
			` + inHouseOnlySelfServiceClause + `
			-- GROUP BY for in-house apps
			%s
			`

			inHouseStmt, inHouseArgs, err := sqlx.In(inHouseStmt, inHouseIDs)
			if err != nil {
				return nil, nil, ctxerr.Wrap(ctx, err, "expand IN query for in-house titles")
			}
			inHouseStmt, inHouseArgsNamedArgs, err := sqlx.Named(inHouseStmt, namedArgs)
			if err != nil {
				return nil, nil, ctxerr.Wrap(ctx, err, "build named query for in-house titles")
			}
			inHouseStmt = strings.ReplaceAll(inHouseStmt, "AND true", matchClause)
			args = append(args, inHouseArgsNamedArgs...)
			args = append(args, inHouseArgs...)
			if len(matchArgs) > 0 {
				args = append(args, matchArgs...)
			}
			stmt += inHouseStmt
		}

		var countStmt string
		var sprintfArgs []any
		// we do not scan vulnerabilities on vpp/in-house software available for install
		includeSoftwareTitles := len(softwareTitleIDs) > 0
		includeVPP := !opts.VulnerableOnly && len(vppAdamIDs) > 0
		includeInHouse := !opts.VulnerableOnly && len(inHouseIDs) > 0
		if includeSoftwareTitles {
			sprintfArgs = append(sprintfArgs, `SELECT software_titles.id`, softwareVulnerableJoin, `GROUP BY software_titles.id`)
		}
		if includeVPP {
			sprintfArgs = append(sprintfArgs, `SELECT software_titles.id`, `GROUP BY software_titles.id`)
		}
		if includeInHouse {
			sprintfArgs = append(sprintfArgs, `SELECT software_titles.id`, `GROUP BY software_titles.id`)
		}
		if len(sprintfArgs) == 0 {
			return []*fleet.HostSoftwareWithInstaller{}, &fleet.PaginationMetadata{}, nil
		}
		countStmt = fmt.Sprintf(stmt, sprintfArgs...)

		if err := sqlx.GetContext(
			ctx,
			ds.reader(ctx),
			&titleCount,
			fmt.Sprintf("SELECT COUNT(id) FROM (%s) AS combined_results", countStmt),
			args...,
		); err != nil {
			return nil, nil, ctxerr.Wrap(ctx, err, "get host software count")
		}

		var replacements []any
		if len(softwareTitleIDs) > 0 {
			replacements = append(replacements,
				// For software installers
				`
				SELECT
					software_titles.id,
					software_titles.name,
					software_titles.source AS source,
					software_titles.extension_for AS extension_for,
					software_titles.upgrade_code AS upgrade_code, -- should be empty or non-empty string for "programs" sourced software, null otherwise
					software_installers.id AS installer_id,
					software_installers.self_service AS package_self_service,
					software_installers.filename AS package_name,
					software_installers.version AS package_version,
					software_installers.platform as package_platform,
					GROUP_CONCAT(software.id) AS software_id_list,
					GROUP_CONCAT(software.source) AS software_source_list,
					GROUP_CONCAT(software.extension_for) AS software_extension_for_list,
					GROUP_CONCAT(software.upgrade_code) AS software_upgrade_code_list,
					GROUP_CONCAT(software.version) AS version_list,
					GROUP_CONCAT(software.bundle_identifier) AS bundle_identifier_list,
					NULL AS vpp_app_adam_id_list,
					NULL AS vpp_app_version_list,
					NULL AS vpp_app_platform_list,
					NULL AS vpp_app_icon_url_list,
					NULL AS vpp_app_self_service_list,
					NULL AS in_house_app_id_list,
					NULL AS in_house_app_name_list,
					NULL AS in_house_app_version_list,
					NULL as in_house_app_platform_list,
					NULL as in_house_app_self_service_list
			`, softwareVulnerableJoin, `
				GROUP BY
					software_titles.id,
					software_titles.name,
					software_titles.source,
					software_titles.extension_for,
					software_titles.upgrade_code,
					software_installers.id,
					software_installers.self_service,
					software_installers.filename,
					software_installers.version,
					software_installers.platform
			`)
		}
		if includeVPP {
			replacements = append(replacements,
				// For vpp apps
				`
				SELECT
					software_titles.id,
					software_titles.name,
					software_titles.source AS source,
					software_titles.extension_for AS extension_for,
					software_titles.upgrade_code AS upgrade_code, -- should always be null for vpp (mac) apps
					NULL AS installer_id,
					NULL AS package_self_service,
					NULL AS package_name,
					NULL AS package_version,
					NULL as package_platform,
					NULL AS software_id_list,
					NULL AS software_source_list,
					NULL AS software_extension_for_list,
					NULL AS software_upgrade_code_list,
					NULL AS version_list,
					NULL AS bundle_identifier_list,
					GROUP_CONCAT(vpp_apps.adam_id) AS vpp_app_adam_id_list,
					GROUP_CONCAT(vpp_apps.latest_version) AS vpp_app_version_list,
					GROUP_CONCAT(vpp_apps.platform) as vpp_app_platform_list,
					GROUP_CONCAT(vpp_apps.icon_url) AS vpp_app_icon_url_list,
					GROUP_CONCAT(vpp_apps_teams.self_service) AS vpp_app_self_service_list,
					NULL AS in_house_app_id_list,
					NULL AS in_house_app_name_list,
					NULL AS in_house_app_version_list,
					NULL as in_house_app_platform_list,
					NULL as in_house_app_self_service_list
			`, `
				GROUP BY
					software_titles.id,
					software_titles.name,
					software_titles.source,
					software_titles.extension_for,
					software_titles.upgrade_code
			`)
		}

		if includeInHouse {
			replacements = append(replacements,
				// For in-house apps
				`
				SELECT
					software_titles.id,
					software_titles.name,
					software_titles.source AS source,
					software_titles.extension_for AS extension_for,
					software_titles.upgrade_code AS upgrade_code,
					NULL AS installer_id,
					NULL AS package_self_service,
					NULL AS package_name,
					NULL AS package_version,
					NULL as package_platform,
					NULL AS software_id_list,
					NULL AS software_source_list,
					NULL AS software_extension_for_list,
					NULL AS software_upgrade_code_list,
					NULL AS version_list,
					NULL AS bundle_identifier_list,
					NULL AS vpp_app_adam_id_list,
					NULL AS vpp_app_version_list,
					NULL as vpp_app_platform_list,
					NULL AS vpp_app_icon_url_list,
					NULL AS vpp_app_self_service_list,
					GROUP_CONCAT(in_house_apps.id) AS in_house_app_id_list,
					GROUP_CONCAT(in_house_apps.filename) AS in_house_app_name_list,
					GROUP_CONCAT(in_house_apps.version) AS in_house_app_version_list,
					GROUP_CONCAT(in_house_apps.platform) as in_house_app_platform_list,
					GROUP_CONCAT(in_house_apps.self_service) as in_house_app_self_service_list
			`, `
				GROUP BY
					software_titles.id,
					software_titles.name,
					software_titles.source,
					software_titles.extension_for,
					software_titles.upgrade_code
			`)
		}
		stmt = fmt.Sprintf(stmt, replacements...)
		stmt = fmt.Sprintf("SELECT * FROM (%s) AS combined_results", stmt)
		stmt, _ = appendListOptionsToSQL(stmt, &opts.ListOptions)

		if err := sqlx.SelectContext(ctx, ds.reader(ctx), &hostSoftwareList, stmt, args...); err != nil {
			return nil, nil, ctxerr.Wrap(ctx, err, "list host software")
		}

		// collect install paths by software.id
		installedPaths, err := ds.getHostSoftwareInstalledPaths(ctx, host.ID)
		if err != nil {
			return nil, nil, ctxerr.Wrap(ctx, err, "Could not get software installed paths")
		}
		installedPathBySoftwareId := make(map[uint][]string)
		pathSignatureInformation := make(map[uint][]fleet.PathSignatureInformation)
		for _, ip := range installedPaths {
			installedPathBySoftwareId[ip.SoftwareID] = append(installedPathBySoftwareId[ip.SoftwareID], ip.InstalledPath)
			pathSignatureInformation[ip.SoftwareID] = append(pathSignatureInformation[ip.SoftwareID], fleet.PathSignatureInformation{
				InstalledPath:  ip.InstalledPath,
				TeamIdentifier: ip.TeamIdentifier,
				HashSha256:     ip.ExecutableSHA256,
			})
		}

		// extract into vulnerabilitiesBySoftwareID
		type softwareCVE struct {
			SoftwareID uint   `db:"software_id"`
			CVE        string `db:"cve"`
		}
		var softwareCVEs []softwareCVE

		if len(softwareIDs) > 0 {
			cveStmt := `
				SELECT
					software_id,
					cve
				FROM
					software_cve
				WHERE
					software_id IN (?)
				ORDER BY
					software_id, cve
			`
			cveStmt, args, err = sqlx.In(cveStmt, softwareIDs)
			if err != nil {
				return nil, nil, ctxerr.Wrap(ctx, err, "building query args to list cves")
			}
			if err := sqlx.SelectContext(ctx, ds.reader(ctx), &softwareCVEs, cveStmt, args...); err != nil {
				return nil, nil, ctxerr.Wrap(ctx, err, "list software cves")
			}
		}

		// group by softwareID
		vulnerabilitiesBySoftwareID := make(map[uint][]string)
		for _, cve := range softwareCVEs {
			vulnerabilitiesBySoftwareID[cve.SoftwareID] = append(vulnerabilitiesBySoftwareID[cve.SoftwareID], cve.CVE)
		}

		// Grab the automatic install policies, if any exist.
		teamID := uint(0) // "No team" host
		if host.TeamID != nil {
			teamID = *host.TeamID // Team host
		}
		// NOTE: in-house apps do not support automatic install policies at the moment
		policies, err := ds.getPoliciesBySoftwareTitleIDs(ctx, append(vppTitleIDs, softwareTitleIDs...), teamID)
		if err != nil {
			return nil, nil, ctxerr.Wrap(ctx, err, "batch getting policies by software title IDs")
		}

		policiesBySoftwareTitleId := make(map[uint][]fleet.AutomaticInstallPolicy, len(policies))
		for _, p := range policies {
			policiesBySoftwareTitleId[p.TitleID] = append(policiesBySoftwareTitleId[p.TitleID], p)
		}

		iconsBySoftwareTitleID, err := ds.GetSoftwareIconsByTeamAndTitleIds(ctx, teamID, append(append(vppTitleIDs, inHouseTitleIDs...), softwareTitleIDs...))
		if err != nil {
			return nil, nil, ctxerr.Wrap(ctx, err, "get software icons by team and title IDs")
		}

		displayNames, err := ds.getDisplayNamesByTeamAndTitleIds(ctx, teamID, append(append(vppTitleIDs, inHouseTitleIDs...), softwareTitleIDs...))
		if err != nil {
			return nil, nil, ctxerr.Wrap(ctx, err, "get software display names by team and title IDs")
		}

		indexOfSoftwareTitle := make(map[uint]uint)
		deduplicatedList := make([]*hostSoftware, 0, len(hostSoftwareList))
		for _, softwareTitleRecord := range hostSoftwareList {
			softwareTitle := bySoftwareTitleID[softwareTitleRecord.ID]
			inventoriedVPPApp := hostVPPInstalledTitles[softwareTitleRecord.ID]
			inventoriedInHouseApp := hostInHouseInstalledTitles[softwareTitleRecord.ID]

			if softwareTitle != nil && softwareTitle.SoftwareID != nil {
				// if we have a software id, that means that this record has been installed on the host,
				// we should double check the hostInstalledSoftwareSet,
				// but we want to make sure that software id is present on the InstalledVersions list to be processed
				if s, ok := hostInstalledSoftwareSet[*softwareTitle.SoftwareID]; ok {
					softwareIDStr := strconv.FormatUint(uint64(*softwareTitle.SoftwareID), 10)
					pushVersion(softwareIDStr, softwareTitleRecord, *s)
				}
			}
			if inventoriedVPPApp != nil && inventoriedVPPApp.SoftwareID != nil {
				// Vpp app installed on the host, we need to push this into the installed versions list as well
				if s, ok := hostInstalledSoftwareSet[*inventoriedVPPApp.SoftwareID]; ok {
					softwareIDStr := strconv.FormatUint(uint64(*inventoriedVPPApp.SoftwareID), 10)
					pushVersion(softwareIDStr, softwareTitleRecord, *s)
				}
			}
			if inventoriedInHouseApp != nil && inventoriedInHouseApp.SoftwareID != nil {
				// in-house app installed on the host, we need to push this into the installed versions list as well
				if s, ok := hostInstalledSoftwareSet[*inventoriedInHouseApp.SoftwareID]; ok {
					softwareIDStr := strconv.FormatUint(uint64(*inventoriedInHouseApp.SoftwareID), 10)
					pushVersion(softwareIDStr, softwareTitleRecord, *s)
				}
			}

			if softwareTitleRecord.SoftwareIDList != nil {
				softwareIDList := strings.Split(*softwareTitleRecord.SoftwareIDList, ",")
				softwareSourceList := strings.Split(*softwareTitleRecord.SoftwareSourceList, ",")
				softwareVersionList := strings.Split(*softwareTitleRecord.VersionList, ",")
				softwareBundleIdentifierList := strings.Split(*softwareTitleRecord.BundleIdentifierList, ",")

				for index, softwareIdStr := range softwareIDList {
					version := &fleet.HostSoftwareInstalledVersion{}

					if softwareId, err := strconv.ParseUint(softwareIdStr, 10, 32); err == nil {

						softwareId := uint(softwareId)
						if software, ok := bySoftwareID[softwareId]; ok {
							version.Version = softwareVersionList[index]
							version.BundleIdentifier = softwareBundleIdentifierList[index]
							version.Source = softwareSourceList[index]
							version.LastOpenedAt = software.LastOpenedAt
							version.SoftwareID = softwareId
							version.SoftwareTitleID = softwareTitleRecord.ID

							version.InstalledPaths = installedPathBySoftwareId[softwareId]
							version.Vulnerabilities = vulnerabilitiesBySoftwareID[softwareId]

							if version.Source == "apps" {
								version.SignatureInformation = pathSignatureInformation[softwareId]
							}

							if storedIndex, ok := indexOfSoftwareTitle[softwareTitleRecord.ID]; ok {
								deduplicatedList[storedIndex].InstalledVersions = append(deduplicatedList[storedIndex].InstalledVersions, version)
							} else {
								softwareTitleRecord.InstalledVersions = append(softwareTitleRecord.InstalledVersions, version)
							}
						}
					}
				}
			}

			if softwareTitleRecord.VPPAppAdamIDList != nil {
				vppAppAdamIDList := strings.Split(*softwareTitleRecord.VPPAppAdamIDList, ",")
				vppAppSelfServiceList := strings.Split(*softwareTitleRecord.VPPAppSelfServiceList, ",")
				vppAppVersionList := strings.Split(*softwareTitleRecord.VPPAppVersionList, ",")
				vppAppPlatformList := strings.Split(*softwareTitleRecord.VPPAppPlatformList, ",")
				vppAppIconURLList := strings.Split(*softwareTitleRecord.VPPAppIconUrlList, ",")

				if storedIndex, ok := indexOfSoftwareTitle[softwareTitleRecord.ID]; ok {
					softwareTitleRecord = deduplicatedList[storedIndex]
				}

				for index, vppAppAdamIdStr := range vppAppAdamIDList {
					if vppAppAdamIdStr != "" {
						softwareTitle = byVPPAdamID[vppAppAdamIdStr]
						softwareTitleRecord.VPPAppAdamID = &vppAppAdamIdStr
					}

					vppAppSelfService := vppAppSelfServiceList[index]
					if vppAppSelfService != "" {
						if vppAppSelfService == "1" {
							softwareTitleRecord.VPPAppSelfService = ptr.Bool(true)
						} else {
							softwareTitleRecord.VPPAppSelfService = ptr.Bool(false)
						}
					}

					vppAppVersion := vppAppVersionList[index]
					if vppAppVersion != "" {
						softwareTitleRecord.VPPAppVersion = &vppAppVersion
					}

					vppAppPlatform := vppAppPlatformList[index]
					if vppAppPlatform != "" {
						softwareTitleRecord.VPPAppPlatform = &vppAppPlatform
					}
					VPPAppIconURL := vppAppIconURLList[index]
					if VPPAppIconURL != "" {
						softwareTitleRecord.VPPAppIconURL = &VPPAppIconURL
					}
				}
			}

			if softwareTitleRecord.InHouseAppIDList != nil {
				inHouseAppIDList := strings.Split(*softwareTitleRecord.InHouseAppIDList, ",")
				inHouseAppVersionList := strings.Split(*softwareTitleRecord.InHouseAppVersionList, ",")
				inHouseAppPlatformList := strings.Split(*softwareTitleRecord.InHouseAppPlatformList, ",")
				inHouseAppNameList := strings.Split(*softwareTitleRecord.InHouseAppNameList, ",")
				inHouseAppSelfServiceList := strings.Split(*softwareTitleRecord.InHouseAppSelfServiceList, ",")

				if storedIndex, ok := indexOfSoftwareTitle[softwareTitleRecord.ID]; ok {
					softwareTitleRecord = deduplicatedList[storedIndex]
				}

				for index, inHouseAppIDStr := range inHouseAppIDList {
					inHouseID64, err := strconv.ParseUint(inHouseAppIDStr, 10, 32)
					if err != nil {
						continue
					}

					inHouseID := uint(inHouseID64)

					softwareTitle = byInHouseID[inHouseID]
					softwareTitleRecord.InHouseAppID = &inHouseID

					inHouseAppVersion := inHouseAppVersionList[index]
					if inHouseAppVersion != "" {
						softwareTitleRecord.InHouseAppVersion = &inHouseAppVersion
					}

					inHouseAppPlatform := inHouseAppPlatformList[index]
					if inHouseAppPlatform != "" {
						softwareTitleRecord.InHouseAppPlatform = &inHouseAppPlatform
					}
					inHouseAppName := inHouseAppNameList[index]
					if inHouseAppName != "" {
						softwareTitleRecord.InHouseAppName = &inHouseAppName
					}
					inHouseAppSelfService := inHouseAppSelfServiceList[index]
					if inHouseAppSelfService != "" {
						if inHouseAppSelfService == "1" {
							softwareTitleRecord.InHouseAppSelfService = ptr.Bool(true)
						} else {
							softwareTitleRecord.InHouseAppSelfService = ptr.Bool(false)
						}
					}
				}
			}

			if storedIndex, ok := indexOfSoftwareTitle[softwareTitleRecord.ID]; ok {
				softwareTitleRecord = deduplicatedList[storedIndex]
			}

			// Merge the data of `software title` into `softwareTitleRecord`
			// We should try to move as much of these attributes into the `stmt` query
			if softwareTitle != nil {
				softwareTitleRecord.Status = softwareTitle.Status
				softwareTitleRecord.LastInstallInstallUUID = softwareTitle.LastInstallInstallUUID
				softwareTitleRecord.LastInstallInstalledAt = softwareTitle.LastInstallInstalledAt
				softwareTitleRecord.LastUninstallScriptExecutionID = softwareTitle.LastUninstallScriptExecutionID
				softwareTitleRecord.LastUninstallUninstalledAt = softwareTitle.LastUninstallUninstalledAt
				if softwareTitle.PackageSelfService != nil {
					softwareTitleRecord.PackageSelfService = softwareTitle.PackageSelfService
				}
			}

			// promote the package name and version to the proper destination fields
			if softwareTitleRecord.PackageName != nil {
				if _, ok := filteredBySoftwareTitleID[softwareTitleRecord.ID]; ok {
					hydrateHostSoftwareRecordFromDb(softwareTitleRecord, softwareTitle)
				}
			}

			// This happens when there is a software installed on the host but it is also a vpp record, so we want
			// to grab the vpp data from the installed vpp record and merge it onto the software record
			if installedVppRecord, ok := hostVPPInstalledTitles[softwareTitleRecord.ID]; ok {
				softwareTitleRecord.VPPAppAdamID = installedVppRecord.VPPAppAdamID
				softwareTitleRecord.VPPAppVersion = installedVppRecord.VPPAppVersion
				softwareTitleRecord.VPPAppPlatform = installedVppRecord.VPPAppPlatform
				softwareTitleRecord.VPPAppIconURL = installedVppRecord.VPPAppIconURL
				softwareTitleRecord.VPPAppSelfService = installedVppRecord.VPPAppSelfService
			}
			// promote the VPP app id and version to the proper destination fields
			if softwareTitleRecord.VPPAppAdamID != nil {
				if _, ok := filteredByVPPAdamID[*softwareTitleRecord.VPPAppAdamID]; ok {
					promoteSoftwareTitleVPPApp(softwareTitleRecord)
				}
			}

			// This happens when there is a software installed on the host but it is
			// also an in-house record, so we want to grab the in-house data from the
			// installed record and merge it onto the software record
			if installedInHouseRecord, ok := hostInHouseInstalledTitles[softwareTitleRecord.ID]; ok {
				softwareTitleRecord.InHouseAppID = installedInHouseRecord.InHouseAppID
				softwareTitleRecord.InHouseAppName = installedInHouseRecord.InHouseAppName
				softwareTitleRecord.InHouseAppVersion = installedInHouseRecord.InHouseAppVersion
				softwareTitleRecord.InHouseAppPlatform = installedInHouseRecord.InHouseAppPlatform
				softwareTitleRecord.InHouseAppSelfService = installedInHouseRecord.InHouseAppSelfService
			}
			// promote the in-house app id and version to the proper destination fields
			if softwareTitleRecord.InHouseAppID != nil {
				if _, ok := filteredByInHouseID[*softwareTitleRecord.InHouseAppID]; ok {
					promoteSoftwareTitleInHouseApp(softwareTitleRecord)
				}
			}

			// NOTE: in-house apps do not support automatic install policies at the moment
			if policies, ok := policiesBySoftwareTitleId[softwareTitleRecord.ID]; ok {
				switch {
				case softwareTitleRecord.AppStoreApp != nil:
					softwareTitleRecord.AppStoreApp.AutomaticInstallPolicies = policies
				case softwareTitleRecord.SoftwarePackage != nil:
					softwareTitleRecord.SoftwarePackage.AutomaticInstallPolicies = policies
				default:
					level.Warn(ds.logger).Log(
						"team_id", teamID,
						"host_id", host.ID,
						"software_title_id", softwareTitleRecord.ID,
						"msg", "software title record should have an associated VPP application or software package",
					)
				}
			}

			if icon, ok := iconsBySoftwareTitleID[softwareTitleRecord.ID]; ok {
				softwareTitleRecord.IconUrl = ptr.String(icon.IconUrl())
			}

			if displayName, ok := displayNames[softwareTitleRecord.ID]; ok {
				softwareTitleRecord.DisplayName = displayName
			}

			if _, ok := indexOfSoftwareTitle[softwareTitleRecord.ID]; !ok {
				indexOfSoftwareTitle[softwareTitleRecord.ID] = uint(len(deduplicatedList))
				deduplicatedList = append(deduplicatedList, softwareTitleRecord)
			}
		}

		hostSoftwareList = deduplicatedList
	}

	perPage := opts.ListOptions.PerPage
	var metaData *fleet.PaginationMetadata
	if opts.ListOptions.IncludeMetadata {
		if perPage <= 0 {
			perPage = defaultSelectLimit
		}
		metaData = &fleet.PaginationMetadata{
			HasPreviousResults: opts.ListOptions.Page > 0,
			TotalResults:       titleCount,
		}
		if len(hostSoftwareList) > int(perPage) { //nolint:gosec // dismiss G115
			metaData.HasNextResults = true
			hostSoftwareList = hostSoftwareList[:len(hostSoftwareList)-1]
		}
	}

	software := make([]*fleet.HostSoftwareWithInstaller, 0, len(hostSoftwareList))
	for _, hs := range hostSoftwareList {
		software = append(software, &hs.HostSoftwareWithInstaller)
	}

	return software, metaData, nil
}

func (ds *Datastore) SetHostSoftwareInstallResult(ctx context.Context, result *fleet.HostSoftwareInstallResultPayload) (wasCanceled bool, err error) {
	const stmt = `
		UPDATE
			host_software_installs
		SET
			pre_install_query_output = ?,
			install_script_exit_code = ?,
			install_script_output = ?,
			post_install_script_exit_code = ?,
			post_install_script_output = ?
		WHERE
			execution_id = ? AND
			host_id = ?
`

	truncateOutput := func(output *string) *string {
		if output != nil {
			output = ptr.String(truncateScriptResult(*output))
		}
		return output
	}

	err = ds.withRetryTxx(ctx, func(tx sqlx.ExtContext) error {
		res, err := tx.ExecContext(ctx, stmt,
			truncateOutput(result.PreInstallConditionOutput),
			result.InstallScriptExitCode,
			truncateOutput(result.InstallScriptOutput),
			result.PostInstallScriptExitCode,
			truncateOutput(result.PostInstallScriptOutput),
			result.InstallUUID,
			result.HostID,
		)
		if err != nil {
			return ctxerr.Wrap(ctx, err, "update host software installation result")
		}
		if n, _ := res.RowsAffected(); n == 0 {
			return ctxerr.Wrap(ctx, notFound("HostSoftwareInstall").WithName(result.InstallUUID), "host software installation not found")
		}

		if result.Status() != fleet.SoftwareInstallPending {
			if _, err := ds.activateNextUpcomingActivity(ctx, tx, result.HostID, result.InstallUUID); err != nil {
				return ctxerr.Wrap(ctx, err, "activate next activity")
			}
		}

		// load whether or not the result was for a canceled activity
		err = sqlx.GetContext(ctx, tx, &wasCanceled, `SELECT canceled FROM host_software_installs WHERE execution_id = ?`, result.InstallUUID)
		if err != nil && !errors.Is(err, sql.ErrNoRows) {
			return err
		}
		return nil
	})
	return wasCanceled, err
}

func (ds *Datastore) CreateIntermediateInstallFailureRecord(ctx context.Context, result *fleet.HostSoftwareInstallResultPayload) (string, error) {
	// Get the original installation details first, including software title and package info
	const getDetailsStmt = `
		SELECT
			hsi.software_installer_id,
			hsi.user_id,
			hsi.policy_id,
			hsi.self_service,
			hsi.created_at,
			si.title_id AS software_title_id,
			si.filename AS software_package,
			st.name AS software_title
		FROM host_software_installs hsi
		INNER JOIN software_installers si ON si.id = hsi.software_installer_id
		INNER JOIN software_titles st ON st.id = si.title_id
		WHERE hsi.execution_id = ? AND hsi.host_id = ?
	`

	var details struct {
		SoftwareInstallerID uint      `db:"software_installer_id"`
		UserID              *uint     `db:"user_id"`
		PolicyID            *uint     `db:"policy_id"`
		SelfService         bool      `db:"self_service"`
		CreatedAt           time.Time `db:"created_at"`
		SoftwareTitleID     *uint     `db:"software_title_id"`
		SoftwarePackage     string    `db:"software_package"`
		SoftwareTitle       string    `db:"software_title"`
	}

	if err := sqlx.GetContext(ctx, ds.reader(ctx), &details, getDetailsStmt, result.InstallUUID, result.HostID); err != nil {
		return "", ctxerr.Wrap(ctx, err, "get original install details")
	}

	// Generate a deterministic execution ID for the failed attempt record
	// Use UUID v5 with the original InstallUUID and RetriesRemaining to ensure idempotency
	// Use a custom UUID namespace since our use case doesn't fit one of the standard UUID namespaces.
	namespace := uuid.MustParse("a87db2d7-a372-4d2f-9bd2-afdcd9775ca8")
	failedExecID := uuid.NewSHA1(namespace, []byte(fmt.Sprintf("%s-%d", result.InstallUUID, result.RetriesRemaining))).String()

	// Create or update a record with the failure details
	// Use INSERT ... ON DUPLICATE KEY UPDATE to make this idempotent
	const insertStmt = `
		INSERT INTO host_software_installs (
			execution_id,
			host_id,
			software_installer_id,
			user_id,
			policy_id,
			self_service,
			created_at,
			software_title_id,
			software_title_name,
			installer_filename,
			install_script_exit_code,
			install_script_output,
			pre_install_query_output,
			post_install_script_exit_code,
			post_install_script_output
		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
		ON DUPLICATE KEY UPDATE
			install_script_exit_code = VALUES(install_script_exit_code),
			install_script_output = VALUES(install_script_output),
			pre_install_query_output = VALUES(pre_install_query_output),
			post_install_script_exit_code = VALUES(post_install_script_exit_code),
			post_install_script_output = VALUES(post_install_script_output),
			updated_at = CURRENT_TIMESTAMP(6)
	`

	truncateOutput := func(output *string) *string {
		if output != nil {
			output = ptr.String(truncateScriptResult(*output))
		}
		return output
	}

	err := ds.withRetryTxx(ctx, func(tx sqlx.ExtContext) error {
		_, err := tx.ExecContext(ctx, insertStmt,
			failedExecID,
			result.HostID,
			details.SoftwareInstallerID,
			details.UserID,
			details.PolicyID,
			details.SelfService,
			details.CreatedAt,
			details.SoftwareTitleID,
			details.SoftwareTitle,
			details.SoftwarePackage,
			result.InstallScriptExitCode,
			truncateOutput(result.InstallScriptOutput),
			truncateOutput(result.PreInstallConditionOutput),
			result.PostInstallScriptExitCode,
			truncateOutput(result.PostInstallScriptOutput),
		)
		if err != nil {
			return err
		}
		return nil
	})
	if err != nil {
		return "", ctxerr.Wrap(ctx, err, "create intermediate failure record")
	}

	return failedExecID, nil
}

func getInstalledByFleetSoftwareTitles(ctx context.Context, qc sqlx.QueryerContext, hostID uint) ([]fleet.SoftwareTitle, error) {
	// We are overloading vpp_apps_count to indicate whether installed title is a VPP app or not.
	const stmt = `
SELECT
	st.id,
	st.name,
	st.source,
	st.extension_for,
	st.upgrade_code,
	st.bundle_identifier,
	0 as vpp_apps_count
FROM software_titles st
INNER JOIN software_installers si ON si.title_id = st.id
INNER JOIN host_software_installs hsi ON hsi.host_id = :host_id AND hsi.software_installer_id = si.id
WHERE hsi.removed = 0 AND hsi.canceled = 0 AND hsi.status = :software_status_installed

UNION

SELECT
	st.id,
	st.name,
	st.source,
	st.extension_for,
	st.upgrade_code,
	st.bundle_identifier,
	1 as vpp_apps_count
FROM software_titles st
INNER JOIN vpp_apps vap ON vap.title_id = st.id
INNER JOIN host_vpp_software_installs hvsi ON hvsi.host_id = :host_id AND hvsi.adam_id = vap.adam_id AND hvsi.platform = vap.platform
LEFT JOIN nano_command_results ncr ON ncr.command_uuid = hvsi.command_uuid
WHERE 
	hvsi.removed = 0 AND 
	hvsi.canceled = 0 AND 
	(ncr.status = :mdm_status_acknowledged OR hvsi.verification_at IS NOT NULL)
`
	selectStmt, args, err := sqlx.Named(stmt, map[string]interface{}{
		"host_id":                   hostID,
		"software_status_installed": fleet.SoftwareInstalled,
		"mdm_status_acknowledged":   fleet.MDMAppleStatusAcknowledged,
	})
	if err != nil {
		return nil, ctxerr.Wrap(ctx, err, "build query to get installed software titles")
	}

	var titles []fleet.SoftwareTitle
	if err := sqlx.SelectContext(ctx, qc, &titles, selectStmt, args...); err != nil {
		return nil, ctxerr.Wrap(ctx, err, "get installed software titles")
	}
	return titles, nil
}

func markHostSoftwareInstallsRemoved(ctx context.Context, ex sqlx.ExtContext, hostID uint, titleIDs []uint) error {
	const stmt = `
UPDATE host_software_installs hsi
INNER JOIN software_installers si ON hsi.software_installer_id = si.id
INNER JOIN software_titles st ON si.title_id = st.id
SET hsi.removed = 1
WHERE hsi.host_id = ? AND st.id IN (?)
`
	stmtExpanded, args, err := sqlx.In(stmt, hostID, titleIDs)
	if err != nil {
		return ctxerr.Wrap(ctx, err, "build query args to mark host software install removed")
	}
	if _, err := ex.ExecContext(ctx, stmtExpanded, args...); err != nil {
		return ctxerr.Wrap(ctx, err, "mark host software install removed")
	}
	return nil
}

func markHostVPPSoftwareInstallsRemoved(ctx context.Context, ex sqlx.ExtContext, hostID uint, titleIDs []uint) error {
	const stmt = `
UPDATE host_vpp_software_installs hvsi
INNER JOIN vpp_apps vap ON hvsi.adam_id = vap.adam_id AND hvsi.platform = vap.platform
INNER JOIN software_titles st ON vap.title_id = st.id
SET hvsi.removed = 1
WHERE hvsi.host_id = ? AND st.id IN (?)
`
	stmtExpanded, args, err := sqlx.In(stmt, hostID, titleIDs)
	if err != nil {
		return ctxerr.Wrap(ctx, err, "build query args to mark host vpp software install removed")
	}
	if _, err := ex.ExecContext(ctx, stmtExpanded, args...); err != nil {
		return ctxerr.Wrap(ctx, err, "mark host vpp software install removed")
	}
	return nil
}

func (ds *Datastore) NewSoftwareCategory(ctx context.Context, name string) (*fleet.SoftwareCategory, error) {
	stmt := `INSERT INTO software_categories (name) VALUES (?)`
	res, err := ds.writer(ctx).ExecContext(ctx, stmt, name)
	if err != nil {
		return nil, ctxerr.Wrap(ctx, err, "new software category")
	}

	r, _ := res.LastInsertId()
	id := uint(r) //nolint:gosec // dismiss G115
	return &fleet.SoftwareCategory{Name: name, ID: id}, nil
}

func (ds *Datastore) GetSoftwareCategoryIDs(ctx context.Context, names []string) ([]uint, error) {
	if len(names) == 0 {
		return []uint{}, nil
	}

	stmt := `SELECT id FROM software_categories WHERE name IN (?)`
	stmt, args, err := sqlx.In(stmt, names)
	if err != nil {
		return nil, ctxerr.Wrap(ctx, err, "sqlx.In for get software category ids")
	}

	var ids []uint
	if err := sqlx.SelectContext(ctx, ds.reader(ctx), &ids, stmt, args...); err != nil {
		if !errors.Is(err, sql.ErrNoRows) {
			return nil, ctxerr.Wrap(ctx, err, "get software category ids")
		}
	}

	return ids, nil
}

func (ds *Datastore) GetCategoriesForSoftwareTitles(ctx context.Context, softwareTitleIDs []uint, teamID *uint) (map[uint][]string, error) {
	if len(softwareTitleIDs) == 0 {
		return map[uint][]string{}, nil
	}

	stmt := `
SELECT
	st.id AS title_id,
	sc.name AS software_category_name
FROM
	software_installers si
	JOIN software_titles st ON st.id = si.title_id
	JOIN software_installer_software_categories sisc ON sisc.software_installer_id = si.id
	JOIN software_categories sc ON sc.id = sisc.software_category_id
WHERE
	st.id IN (?) AND si.global_or_team_id = ?

UNION

SELECT
	st.id AS title_id,
	sc.name AS software_category_name
FROM
	vpp_apps va
	JOIN vpp_apps_teams vat ON va.adam_id = vat.adam_id AND va.platform = vat.platform
	JOIN software_titles st ON st.id = va.title_id
	JOIN vpp_app_team_software_categories vatsc ON vatsc.vpp_app_team_id = vat.id
	JOIN software_categories sc ON vatsc.software_category_id = sc.id
WHERE
	st.id IN (?) AND vat.global_or_team_id = ?

UNION

SELECT
	st.id AS title_id,
	sc.name AS software_category_name
FROM
	in_house_apps iha
	JOIN software_titles st ON st.id = iha.title_id
	JOIN in_house_app_software_categories ihasc ON ihasc.in_house_app_id = iha.id
	JOIN software_categories sc ON ihasc.software_category_id = sc.id
WHERE
	st.id IN (?) AND iha.global_or_team_id = ?
`

	var tmID uint
	if teamID != nil {
		tmID = *teamID
	}

	stmt, args, err := sqlx.In(stmt, softwareTitleIDs, tmID, softwareTitleIDs, tmID, softwareTitleIDs, tmID)
	if err != nil {
		return nil, ctxerr.Wrap(ctx, err, "sqlx.In for get categories for software installers")
	}
	var categories []struct {
		TitleID      uint   `db:"title_id"`
		CategoryName string `db:"software_category_name"`
	}
	if err := sqlx.SelectContext(ctx, ds.reader(ctx), &categories, stmt, args...); err != nil {
		return nil, ctxerr.Wrap(ctx, err, "get categories for software installers")
	}

	ret := make(map[uint][]string, len(categories))
	for _, c := range categories {
		ret[c.TitleID] = append(ret[c.TitleID], c.CategoryName)
	}

	return ret, nil
}
